Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.e

Overview

General Information

Sample name:1.e
Analysis ID:1573430
MD5:7edaa17bcdc442895fe31a9093520e03
SHA1:8a1e6f252759608e19508b46820a72c883624a7e
SHA256:cb8ee5026e0269e8253be06ce4a2326bdd91433490ce18cc16ad0297e3d1447a
Infos:

Detection

DanaBot
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
Yara detected DanaBot stealer dll
Checks for available system drives (often done to infect USB drives)
Contains long sleeps (>= 3 min)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Queries information about the installed CPU (vendor, model number etc)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64_ra
  • msiexec.exe (PID: 2848 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6672 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • WiseTurbo.exe (PID: 6568 cmdline: "C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe" MD5: 80A9A30490135B5E5046150B12405891)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DanaBotProofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on quality over quantity in email-based threats. DanaBots modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.
  • SCULLY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.1272234595.0000000007257000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000003.1272234595.0000000007257000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
      00000004.00000003.1279181106.000000000830E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000003.1279181106.000000000830E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_DanaBot_stealer_dllYara detected DanaBot stealer dllJoe Security
          00000004.00000003.1265647500.00000000077E9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Sigma Signatures

            Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe, ProcessId: 6568, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Advanced LModel Server

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-12T00:14:04.184305+010020344651Malware Command and Control Activity Detected192.168.2.164971123.227.178.53443TCP
            2024-12-12T00:14:04.184305+010020344651Malware Command and Control Activity Detected192.168.2.164971123.227.178.53443TCP
            2024-12-12T00:14:05.281153+010020344651Malware Command and Control Activity Detected192.168.2.1649712185.174.135.68443TCP
            2024-12-12T00:14:05.281153+010020344651Malware Command and Control Activity Detected192.168.2.1649712185.174.135.68443TCP
            2024-12-12T00:14:06.370144+010020344651Malware Command and Control Activity Detected192.168.2.1649713148.251.107.246443TCP
            2024-12-12T00:14:06.370144+010020344651Malware Command and Control Activity Detected192.168.2.1649713148.251.107.246443TCP
            2024-12-12T00:14:07.472959+010020344651Malware Command and Control Activity Detected192.168.2.1649714185.81.114.227443TCP
            2024-12-12T00:14:07.472959+010020344651Malware Command and Control Activity Detected192.168.2.1649714185.81.114.227443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000004.00000003.1272234595.0000000007257000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1279181106.000000000830E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1265647500.00000000077E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2460685670.0000000009A59000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2453261346.00000000093B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\System32\msiexec.exeFile opened: z:
            Source: C:\Windows\System32\msiexec.exeFile opened: x:
            Source: C:\Windows\System32\msiexec.exeFile opened: v:
            Source: C:\Windows\System32\msiexec.exeFile opened: t:
            Source: C:\Windows\System32\msiexec.exeFile opened: r:
            Source: C:\Windows\System32\msiexec.exeFile opened: p:
            Source: C:\Windows\System32\msiexec.exeFile opened: n:
            Source: C:\Windows\System32\msiexec.exeFile opened: l:
            Source: C:\Windows\System32\msiexec.exeFile opened: j:
            Source: C:\Windows\System32\msiexec.exeFile opened: h:
            Source: C:\Windows\System32\msiexec.exeFile opened: f:
            Source: C:\Windows\System32\msiexec.exeFile opened: b:
            Source: C:\Windows\System32\msiexec.exeFile opened: y:
            Source: C:\Windows\System32\msiexec.exeFile opened: w:
            Source: C:\Windows\System32\msiexec.exeFile opened: u:
            Source: C:\Windows\System32\msiexec.exeFile opened: s:
            Source: C:\Windows\System32\msiexec.exeFile opened: q:
            Source: C:\Windows\System32\msiexec.exeFile opened: o:
            Source: C:\Windows\System32\msiexec.exeFile opened: m:
            Source: C:\Windows\System32\msiexec.exeFile opened: k:
            Source: C:\Windows\System32\msiexec.exeFile opened: i:
            Source: C:\Windows\System32\msiexec.exeFile opened: g:
            Source: C:\Windows\System32\msiexec.exeFile opened: e:
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: c:
            Source: C:\Windows\System32\msiexec.exeFile opened: a:
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: C:\Users\user
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: C:\Users\user\AppData\Roaming
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: C:\Users\user\AppData

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.16:49712 -> 185.174.135.68:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.16:49711 -> 23.227.178.53:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.16:49714 -> 185.81.114.227:443
            Source: Network trafficSuricata IDS: 2034465 - Severity 1 - ET MALWARE Danabot Key Exchange Request : 192.168.2.16:49713 -> 148.251.107.246:443
            Source: global trafficTCP traffic: 192.168.2.16:49706 -> 8.8.8.8:53
            Source: global trafficTCP traffic: 192.168.2.16:49706 -> 8.8.8.8:53
            Source: global trafficTCP traffic: 192.168.2.16:49706 -> 8.8.8.8:53
            Source: global trafficTCP traffic: 192.168.2.16:49706 -> 8.8.8.8:53
            Source: global trafficTCP traffic: 192.168.2.16:49706 -> 8.8.8.8:53
            Source: global trafficTCP traffic: 192.168.2.16:49706 -> 8.8.8.8:53
            Source: global trafficTCP traffic: 192.168.2.16:49706 -> 8.8.8.8:53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 23.227.178.53
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 185.174.135.68
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 148.251.107.246
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownTCP traffic detected without corresponding DNS query: 185.81.114.227
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

            E-Banking Fraud

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000004.00000003.1272234595.0000000007257000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1279181106.000000000830E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1265647500.00000000077E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2460685670.0000000009A59000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2453261346.00000000093B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\603e3e.msi
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{7C90854F-C62E-43ED-A4EE-2712406CBF59}
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI416B.tmp
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\603e40.msi
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\603e40.msi
            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\603e40.msi
            Source: classification engineClassification label: mal56.troj.winE@4/32@0/45
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeMutant created: NULL
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeMutant created: \Sessions\1\BaseNamedObjects\60534032
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$19a8
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF303A099BA6F064A7.TMP
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile read: C:\Program Files (x86)\desktop.ini
            Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization
            Source: 1.eStatic file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1.msi"
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe "C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe"
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe "C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe"
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptnet.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: webio.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: wininet.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: rasapi32.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: winhttp.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: sqlite3.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: wsock32.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: rasman.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: web-com.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: faultrep.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: dbghelp.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: dbgcore.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: pcs-cakesm.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: wtsapi32.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: winsta.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: filesystemdialogscom.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: filesystemdialogs.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: sxs.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: propsys.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: olepro32.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: duser.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: atlthunk.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: textshaping.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: textinputframework.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: coreuicomponents.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: coremessaging.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: wintypes.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: wintypes.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: wintypes.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: oleacc.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: mswsock.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: mpr.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: netapi32.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: samcli.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: avifil32.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: msvfw32.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: msacm32.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: winmmbase.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: winmmbase.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: cryptui.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: pstorec.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: 1.eStatic file information: File size 18059264 > 1048576
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\sqlite3.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WebView2Loader.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseDefrag.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\web-com.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WJSLib.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\libeay32.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\ssleay32.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\FilesystemDialogsCOM.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\PCS-CakeSM.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Advanced LModel Server
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Advanced LModel Server
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeWindow / User API: threadDelayed 514
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WebView2Loader.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseDefrag.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WJSLib.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\libeay32.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\ssleay32.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exe TID: 6180Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe TID: 6008Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe TID: 4872Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: C:\Users\user
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: C:\Users\user\AppData\Roaming
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeFile opened: C:\Users\user\AppData
            Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe "C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe"
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000004.00000003.1272234595.0000000007257000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1279181106.000000000830E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1265647500.00000000077E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2460685670.0000000009A59000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2453261346.00000000093B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1272234595.0000000007257000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1279181106.000000000830E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1265647500.00000000077E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2460685670.0000000009A59000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2453261346.00000000093B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected DanaBot stealer dll
            Source: Yara matchFile source: 00000004.00000003.1272234595.0000000007257000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1279181106.000000000830E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.1265647500.00000000077E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2460685670.0000000009A59000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2453261346.00000000093B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		Windows Management Instrumentation1
            Registry Run Keys / Startup Folder            		1
            Process Injection            		11
            Masquerading            		OS Credential Dumping1
            Process Discovery            		Remote ServicesData from Local System2
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		LSASS Memory21
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable Media1
            Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		21
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Application Window Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Process Injection            		NTDS11
            Peripheral Device Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets2
            System Owner/User Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            File Deletion            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync43
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\FilesystemDialogsCOM.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WJSLib.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WebView2Loader.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseDefrag.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\libeay32.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\ssleay32.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.210.172
            		truefalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              8.8.8.8
              		unknownUnited States
              		15169GOOGLEUSfalse
              185.174.135.68
              		unknownIran (ISLAMIC Republic Of)
              		24768ALMOUROLTECPTtrue
              148.251.107.246
              		unknownGermany
              		24940HETZNER-ASDEtrue
              185.81.114.227
              		unknownUnited Kingdom
              		59711HZ-NL-ASGBtrue
              23.227.178.53
              		unknownUnited States
              		29802HVC-ASUStrue
              199.232.210.172
              		bg.microsoft.map.fastly.netUnited States
              		54113FASTLYUSfalse

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1573430
              Start date and time:2024-12-12 00:11:39 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:defaultwindowsinteractivecookbook.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:13
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • EGA enabled
              Analysis Mode:stream
              Analysis stop reason:Timeout
              Sample name:1.e
              Detection:MAL
              Classification:mal56.troj.winE@4/32@0/45

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 199.232.210.172
              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtEnumerateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: 1.e

              Created / dropped Files

              C:\Config.Msi\603e3f.rbs

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:data
              Category:modified
              Size (bytes):11907
              Entropy (8bit):5.757709908776827
              Encrypted:false
              SSDEEP:
              MD5:FA2D20C4CC6292F5ED83601E41C925EA
              SHA1:7C28F2650684BACD5E64AE9AEC54C8E95D3277B4
              SHA-256:3C416F97CDA8B776404E7062E889A9F6FFE2B76A8F593DDA140D0F273CB38287
              SHA-512:EBA0EA8FDFCE2BE9507F31C2471226C9AF3EE6FD503F022222511DE04559E8C2332676C69AF23FE4209FFB5553B700C1F1BB461FC7A099CC7BC6610898107343
              Malicious:false
              Reputation:unknown
              Preview:...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{7C90854F-C62E-43ED-A4EE-2712406CBF59}).NAPS2 - Not Another PDF Scanner Community..1.msi.@.....@.....@.....@........&.{D4E1407D-493A-4BC6-AE29-ADBE9B2DC348}.....@.....@.....@.....@.......@.....@.....@.......@....).NAPS2 - Not Another PDF Scanner Community......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{17895AE6-010E-E8A1-88C7-0A12982931D2}&.{7C90854F-C62E-43ED-A4EE-2712406CBF59}.@......&.{DDAB87CC-B48E-4894-8843-23859AF52533}&.{7C90854F-C62E-43ED-A4EE-2712406CBF59}.@......&.{92170750-BCBF-722E-587D-23DCF1C3A4E9}&.{7C90854F-C62E-43ED-A4EE-2712406CBF59}.@......&.{C3DAD3FC-7765-6FB7-42D1-85FD867BDE29}&.{7C90854F-C62E-43ED-A4EE-2712406CBF59}.@......&.{82D5AAF1-5D55-CAF8-4DD4-07D23B8673FA}&.{7C90854F-C62E-43ED-A4EE-2712406CBF59}.@......&.{CE9D475B-3394-FDB2-87E4-0BD469A78282}&.{7C90854F-C62E-43ED-A4EE-2712406CBF59}.@......&.{59C16E

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
              Category:dropped
              Size (bytes):71954
              Entropy (8bit):7.996617769952133
              Encrypted:true
              SSDEEP:
              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
              Malicious:false
              Reputation:unknown
              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:data
              Category:dropped
              Size (bytes):328
              Entropy (8bit):3.2394988199912076
              Encrypted:false
              SSDEEP:
              MD5:153B029C9B52167976634852D62859DD
              SHA1:DBA020D77E7B33A7C75FABDD043B9C5389F892E9
              SHA-256:7177C3A2B59CBD3B92A3227CAABB381152C7E32D0C94D2EDC7680DADDC5B28FB
              SHA-512:85363040F25314295628DD37B84AA6E8FC41EEF36F2164C053AA570AD352478CE16F095BD090B47BD237C6590FA863201CF3F16C2587E79C466B4EB3B5D8131B
              Malicious:false
              Reputation:unknown
              Preview:p...... .........~4."L..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\BootPack.wpk

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
              Category:dropped
              Size (bytes):422529
              Entropy (8bit):7.9967259675992395
              Encrypted:true
              SSDEEP:
              MD5:4F001D0E372BAEF55838F46888E460E4
              SHA1:50450528413983B274823B87214CE6B92AACE3AD
              SHA-256:BD4C6E3FCA00C524FFDF8B1F4B491A78041F9F7E871AA1DA506B341C509CEA5F
              SHA-512:F4D01C4F9F13DAD555083F04994B64408B8A705BDDC28E608368D71FB0B39A79F472A0A46AEB943C4C317177E4F61FDEF613C194B75E19AA0F77E216190FD0A8
              Malicious:false
              Reputation:unknown
              Preview:PK.........:A@.*&Z...P.......1.png:.kQb.d.y{.....S.'V.`..,....=P.a..."........nl....G..C....|....m.......i......[+...{..u.\w&.@S..5..VP.i.C.E.3....U<.8BY...&Mj.(...Vpc.N.....b.J.U.?l..p,0.\8x.......b.F....9...y....y^.3....@B.#.<\....b.a..P.%q......YK.~.z...Z..Z{.$:..t..8.,../`..j.8.9.K^.W.E-q......?j.......b....lhU..o].Ao.......q....+()]r.....g..u.t.Bf.2..b....-+.T......I.|. b..c'.;. ...|...H.`t"...}>.t..NQ....W.^...{WG.Jq....*.!0m...1..dy.t}O{...p..j.j.0..~B...\.['.?.J.>.:..o.:8..K...A.|.p.L.T..+}......Wd.8.."K.J....Ny.TMl$w.p..ng....t&.......K...f...2......j..L..&..{......"T).p..3.......zG.=h'..kL.x.L.~."...v#.g.@.Rm...H..e#.1....TN.y4.......#*&.n7.zY....%jr....9......6.... /...r.!R...&..I.P]..E..N...XCQ.y..z......o..) 1.d#.-....Cc....n.....j...Id.D.`..J...e...E#r..K.%.R. .yR>.?..w...g`I.`U.......t.|.0.._;N.|_..9|..q....?.C....tR.O}...v....d...#[ZK....#9..[..J....n[.1...~.X.B ..$S....8%b....n...T`.l..5..#=O.._J..p.52.....wb.

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\Containers\Pricing.wav

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz
              Category:dropped
              Size (bytes):1959574
              Entropy (8bit):5.87380288934121
              Encrypted:false
              SSDEEP:
              MD5:B65229500A751192142310AE9C73F423
              SHA1:A249912C31F7A8F6F73A9303D0F1A5808DEE340B
              SHA-256:2BF4A18E2D6DF41403BB83F24AA32E13F912DE7D2DF8953EBA36D095395C4D25
              SHA-512:F8E0121F1201F179044E7D749B6B004A73A098C5D4D2DC2ADBBA50AEBAA0A08DEF53F15C01F73CEE6134D5420DC87EC57164C0BB30F70AE2167943C40C42EE64
              Malicious:false
              Reputation:unknown
              Preview:RIFF....WAVEfmt ........D....X......dataj.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\FilesystemDialogsCOM.dll

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):1082184
              Entropy (8bit):6.651671452170415
              Encrypted:false
              SSDEEP:
              MD5:B3D2F2C1B613083271E85148E8C0DF5B
              SHA1:77D24CEF6C2B2118DCADE8E6E5145599BA96F9CF
              SHA-256:BB841E22FF485EA6F79808A554BAA8FB13F8971A4549F09BC6665EFA19115F37
              SHA-512:D0CA04A63FE75F2FADDB3E4AAEB7969A817157568112AF2F152AA88BBC99EC5607F76B75CE4B4104A1CD1FD5A8A3CF8240031DB427D83BDBC993AE88F99815A9
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f...........!.....R...........n.......p....@.......................... ......I.....@..........................P.......0...........P...........T..H/...p...S...................................................2..<....@..f....................text....A.......B.................. ....itext.......`.......F.............. ..`.data....@...p...B...V..............@....bss.....i...............................idata.......0......................@....didata.f....@......................@....edata.......P......................@..@.rdata..E....`......................@..@.reloc...S...p...T..................@..B.rsrc....P.......P..................@..@............. .......T..............@..@........................................................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\Mod.db

              Download File
              Process:C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe
              File Type:data
              Category:dropped
              Size (bytes):5775003
              Entropy (8bit):7.999317947858843
              Encrypted:true
              SSDEEP:
              MD5:224DC6D4BD3C66490EB700ED49368889
              SHA1:F86F252E8F79041166075797CCC3F9797C88B12A
              SHA-256:19D5F176F2C0B8EFFF9983C52443335A90756BFDC40FA7DC1119AC7EAD8320E8
              SHA-512:E81D8A321FFF2E9C54127F597217478E724CC36086035E1D38D81F8DE28B708C712249C4DAF0CFDF9CEBA4EDBA18DF5EA27F68AEC54BFB2D65B2F7E281519F01
              Malicious:false
              Reputation:unknown
              Preview:.........O.X..8.".d.................................1012546698.?=<>8! #oJ@.BK++*--/.Q.VRUU_VYXolnoiowyGBEDFFIH.OMLNFqpsDEADBIKI.}|..a`c.`dggihkjklon....x........................d......................T.......................7...............................................................302:6235.........5324<769QUNXNQ_M.#"%%'&)..*--'.QPgaebeo`lTZ]\^^A@.GEDFNIHK##8*<...butwwyx{.x|.yi`cbYdgfihkj|lon....a.................................................................}................m...............................b.|.{.r.m.G.n.~.w.f.............3.325.7F9J;U=[?L!A#O%@'G)\+K-./rQ%S!U;W8Y=[.]._*A!C1E/G^IHKJMLO6tpsrutwv`x{ze|.~.ecbdngfi%(........................................../..............................................R..............................ueab`ers!a~-o.............!...?v.Q...vV.]....Z..G.....bb......Nhd.ce..baGX[ZE\_^.ECBDfGFI...,$....>32.-=5.5?E.I.+9.WP...8.%umlov.........................................................2................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\PCS-CakeSM.dll

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):578560
              Entropy (8bit):6.592952107481228
              Encrypted:false
              SSDEEP:
              MD5:3BF3875E71A9B6E67671F30000E0F7E2
              SHA1:EAED7B556C1C844E107DEC0CC713D7463ED5F6EF
              SHA-256:621A189B244904DBA8CF26DD0F0AC745999E1AC9CF50AAB59B5966F7AC210DFF
              SHA-512:D5CDCE00352A37F9B3B93B7E5C05002A2FBD2ED529A4807E461096F156AF0E4EB46C590CC74BF6D1A8FD8082D5BB359BCB3F03460448A634FD7AA02D6F6ED78A
              Malicious:false
              Reputation:unknown
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........................d........`.....`.....`....y`....y`..............{`....{`....{`....{`....Rich..........................PE..L...g.Yg...........!...*.....................................................`............@..........................u..X...8v..d.......L.................... ..D9..........................@@...... ?..@...............x............................text...L........................... ..`.rdata...~..........................@..@.data....u...........l..............@....rsrc...L...........................@..@.reloc..D9... ...:..................@..B........................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\Rate.info

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:ASCII text
              Category:dropped
              Size (bytes):1132925
              Entropy (8bit):4.165711681951413
              Encrypted:false
              SSDEEP:
              MD5:82C3D338D91275B5EB82A8580C7F5A35
              SHA1:1FF9D0A6C43BA5C11ADE1513C2392844BC2CE501
              SHA-256:D13769D8A96E248C896B18740236D80249D6E5242CE4CE85C694F69CEB97E0AA
              SHA-512:5D678F5B75DC8A10A784AC91985E84767040623833B2CCC13BB304962771408130B5C5FA0C82EFB513572AC4A5F8726FD0AE0ABAEB998FF0A7DB014A32E73FF0
              Malicious:false
              Reputation:unknown
              Preview:[softinfo].e62aba971f3a96a3bfc458f7c976538d=4.3.7b30081e8c8a96de130bc0f28d0dd377=4.3.cc242e2a787df48fa6b0d4759b198247=4.7.e35a6d56f5933c0f3905be43f540d700=4.7.18cc6d39014e39ac60806d71c9e052aa=4.7.fabc24aafe772aef3e98ad185d168ad5=4.6.ed9ab2660d6531acb71d7b154a20ce5f=3.5a1df7c99792e94757ae02f0b999a97d=4.8.a07c7d7bd8bce92a901ec3fe6bad7741=4.7.01fadbf1d1dca9b1a4681a417198b098=4.7.3b90f49891049c3be9c1cb6ac6dff45e=4.3.264f24b21119fc66061f1e0b904c8a4b=3.8.69d51bb3a904da00d322462232f50ae0=3.3.ddb0e9cc2d2c9575ad95a5bbca52e1ae=4.3.2f27245f1f93d30c67f3635c89413445=4.7.9601f5d62a68876f8e635ef5f23aa61f=3.9.76ab5bb19eef12f936152f9bcbf0faaa=3.6.7526ddeadff0fc805ee64626e4765d14=4.7.e065445a3b3ae0ec9d2a850fe08b866f=4.6.eb0f529034a6b15b503034f55a5ab8ed=2.4.d389c1d3714a569b35e1d170fad735b2=4.4.d41d8cd98f00b204e9800998ecf8427e=4.7.76868ae832f6c6bd26cadc7d7c269986=4.4.214b80ae10dbe21f2a2747277bf8564e=4.6.37a25c74b081993d1a122d4f0ebeb963=4.4.570bfb8bbc141986d034a1841f9346d2=3.9.5b84104a0f2974228e031c953d335

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\Student.pak

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:data
              Category:dropped
              Size (bytes):5774781
              Entropy (8bit):7.9993176966191895
              Encrypted:true
              SSDEEP:
              MD5:C4BF5DB25900613023DEF76E922BE592
              SHA1:4E64881DABF05A91D9F31FF6BA0B37BD00B68049
              SHA-256:BE1D239D7DF520146A8181B3B58AF176AFB3620B69D1A8BA11B8C7328A75CB14
              SHA-512:347F60D1BE604866E59D2BAD1947886938A7F3646204C2B5C5142AF9DD1CE0E9620A11B112C0E6BA7B12BDF4CBC834228AB246CE192BFAA91EEC1C6AA994E864
              Malicious:false
              Reputation:unknown
              Preview:......yw8. W..-r.(]................................1012546698.?=<>8! #oJ@.BK++*--/.Q.VRUU_VYXolnoiowyGBEDFFIH.OMLNFqpsDEADBIKI.}|..a`c.`dggihkjklon....x........................d......................T.......................7...............................................................302:6235.........5324<769QUNXNQ_M.#"%%'&)..*--'.QPgaebeo`lTZ]\^^A@.GEDFNIHK##8*<...butwwyx{.x|.yi`cbYdgfihkj|lon....a.................................................................}................m...............................b.|.{.r.m.G.n.~.w.f.............3.325.7F9J;U=[?L!A#O%@'G)\+K-./rQ%S!U;W8Y=[.]._*A!C1E/G^IHKJMLO6tpsrutwv`x{ze|.~.ecbdngfi%(........................................../..............................................R..............................ueab`ers!a~-o.............!...?v.Q...vV.]....Z..G.....bb......Nhd.ce..baGX[ZE\_^.ECBDfGFI...,$....>32.-=5.5?E.I.+9.WP...8.%umlov.........................................................2................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WJSLib.dll

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):170416
              Entropy (8bit):6.617746620907792
              Encrypted:false
              SSDEEP:
              MD5:47A72FF4AA7DF3BB5B29ADA4B6A5EAED
              SHA1:134F00B03C38F9AC2E2549B39B31F62A1C871B9D
              SHA-256:18B7F367D8EC6BDAA6618744051E5FF25BA317D2731C2706DC7B5DFDE296E37F
              SHA-512:6A5036A9205D6EC1B493CDACAD78FBD86E4B7F1319776EA64867C1208DAF2C0F103B20C1F0FDC511AB7B999393AA87B66ACE8D529E95A95A5958117FC2D18054
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..n2fn=2fn=2fn=...=8fn=...=.fn=...=+fn=..=4fn=.8m<$fn=.8k<.fn=.8j< fn=;..=?fn=2fo=.fn=.8g<'fn=.8n<3fn=.8.=3fn=2f.=3fn=.8l<3fn=Rich2fn=................PE..L...OE.\...........!................/................................................r....@..........................9..0...@F..P....................v...#..........0...8...........................h...@............................................text.............................. ..`.rdata..z...........................@..@.data...D....P.......D..............@....gfids.......p.......R..............@..@.tls.................T..............@....rsrc................V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WebView2Loader.dll

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):111512
              Entropy (8bit):6.4205442031702304
              Encrypted:false
              SSDEEP:
              MD5:86F51D662B17CA40C3A3F69046EE567D
              SHA1:DC205139F0C928F4E068E3AE50FD9AAA7E872C25
              SHA-256:933813FD47940329C2C159E0C9A067D1E3937CBDD57FD51EFD58FA0DB3E2431A
              SHA-512:E4ADEDEFCF6686B9617758AE6F38DC3DEEC47FCB843D9AAD074B8308D4C1768E8B5218348158FE9A0C1E50184EDCE9719B2FE0FB6CD9AB33730CC189907C5B7B
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...]..b.........."!.................>..............................................g.....@A.........................o.......p..(...............................8...tl...................... j......`................q..<...,n..`....................text............................... ..`.rdata..|o.......p..................@..@.data................l..............@....00cfg...............v..............@..@.tls.................x..............@....voltbl.$............z...................rsrc................|..............@..@.reloc..8...........................@..B........................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseDefrag.dll

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):393648
              Entropy (8bit):2.9786284394853872
              Encrypted:false
              SSDEEP:
              MD5:F8E1ED1B455716402A50AA9DA2C105B1
              SHA1:FA8E08EF16AF64255259A6D4D8AE61B82396E178
              SHA-256:138D2F3CFF88404660701E5936F0C3FA389622D1987A63514BFF22524C975E2B
              SHA-512:CA46B3FB918614AB4F1AEC2BCD6FA0EB7F69D1E2E4D6192700443C22C8044B532FB5AFF8E910F2811F1FF3D45B871E5A4A042D6D4973409A063745DA4F9285E4
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..{..(..(..(v..(..(v.9(..(v..(/.(..4(..(..(..(...(..(...(..(..(..(v..(:.(v.<(..(v.=(..(v.:(..(Rich..(........PE..L.....G[...........!.....L...................`......................................y.....@.........................`.......,...<........................#...........b..................................@............`...............................text....J.......L.................. ..`.rdata..._...`...`...P..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):9164184
              Entropy (8bit):6.765657007291149
              Encrypted:false
              SSDEEP:
              MD5:80A9A30490135B5E5046150B12405891
              SHA1:9963DA51D1D267EF89953CE302A6F5F3E964C8C1
              SHA-256:6238E54F5E1B6BF8B0F99FD636D18E65E0DB92C55804ED1D6814D78129E0A5EF
              SHA-512:7FDB9C233961CA19C3433ABF2F28F0684A03ADA9ED92B7A91C50A66A1C2CD4F4F2BC8EDA455916760CA03CCF30C160DB1F7A8EE507B8A734CF9852DAB70A7250
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f..................^...-......^.......^...@......................................@......@....................h.......h.FO...0q.|.#.................. i.(.............................i.......................h.......h.R....................text....Y^......Z^................. ..`.itext...?...p^..@...^^............. ..`.data...,&....^..(....^.............@....bss.........._..........................idata..FO....h..P...._.............@....didata.R.....h.......`.............@....edata........h......(`.............@..@.tls....d.....i..........................rdata..].....i......*`.............@..@.reloc..(.... i......,`.............@..B.rsrc...|.#..0q...#..4h.............@..@....................................@..@................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\fileshredder.ico

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:MS Windows icon resource - 2 icons, 32x32, 32 bits/pixel, 16x16, 32 bits/pixel
              Category:dropped
              Size (bytes):5430
              Entropy (8bit):5.046858124219736
              Encrypted:false
              SSDEEP:
              MD5:D8E48DE3E5710FABD066C2BC02445C02
              SHA1:D5B86BFF4CD388659633AC3D6969FEE82AED3BDC
              SHA-256:1D1E9558EDEF4CE724F93F80DC96FA5D7306D341F89BCBE61694900A409A2E9B
              SHA-512:BAF61410094AD50EA8DE5918D1688C902EE8366CB6C26CA3FC23FC6C2207001ADBEF05D2C58A1355AD80B9CE790618CCD98580A6E23364A6E3C850CC1ADBE8ED
              Malicious:false
              Reputation:unknown
              Preview:...... .... .....&......... .h.......(... ...@..... .........................................................................................................................................................................\\\tkkkz444g.......4kkkzkkkz...4kkkzkkkz...4kkkzkkkz...4kkkzkkkz...4kkkzkkkz...4....222fkkkzYYYs...............................'...............B...Y...........Y...........Y...........Y...........Y...........Y...>...............%...............................\........iii|...Y...........Y...........Y...........Y...........Y...........Yaaax...........\...................................-...............Y...........Y...........Y...........Y...........Y...........Y...............+...................................3\\\............o...........o...........o...........o...........o...........o........TTT....1..........................................................................................................................................................................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\libeay32.dll

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):1207216
              Entropy (8bit):6.831251001057177
              Encrypted:false
              SSDEEP:
              MD5:8F5B0181FEF955A2E5117E4BE6F95A4B
              SHA1:4521AEE7FBCE1B08355DF47A1FA19F1052106AFC
              SHA-256:55B0F51ABD2AB649E5B4698217218782CF0B2A318964F91B24891EEED72AD62E
              SHA-512:FED3A7FB81CBE9BC44DEC5E8D78FF1DB3C0A5452D340BAA056564BA0B5F55507C0E7C0CF8AB8BBEE0EB97BF5BA60DFFB0C50C476920C489331A384F2FC9A8A72
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............zA.zA.zA...A.zA...A.zA.{Af.zA.U.A..zA.zA.zA...AI.zA...A.zA...A.zA...A.zARich.zA........PE..L......N...........!.....D...@.......m.......`.......................................g..........................................x.......8............H...#.........pb..............................(...@............`..4............................text....B.......D.................. ..`.rdata.......`.......H..............@..@.data...D....`...`...<..............@....rsrc...8...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\protect.db

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:SQLite 3.x database, last written using SQLite version 3011000, file counter 598, database pages 19, 1st free page 9, free pages 6, cookie 0x3e, schema 4, UTF-8, version-valid-for 598
              Category:dropped
              Size (bytes):77824
              Entropy (8bit):5.424042456470492
              Encrypted:false
              SSDEEP:
              MD5:F115DAA6E926B92C4AF2E02AE2654896
              SHA1:DD7D1C2FDBB9DB652F73AF9910D37AB7441EF5F6
              SHA-256:4A15585D6A44D965B5C393ACAA6FED5CA15C55044E592B54AB2B83D58488F3E5
              SHA-512:51AF671166DBDE2F4CA463193B7D160E6F0D78FFD09D5E2958AB2AE024295E480F2EB9EF17CB420DE831CF57BF127DF8CE754E8762DEE639EBCF94B508AF3840
              Malicious:false
              Reputation:unknown
              Preview:SQLite format 3......@ ...V...............>...................................................V.-..............(.....%................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\skin.ico

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:MS Windows icon resource - 7 icons, -128x-128, 32 bits/pixel, 96x96, 32 bits/pixel
              Category:dropped
              Size (bytes):140206
              Entropy (8bit):6.579372382092634
              Encrypted:false
              SSDEEP:
              MD5:BD185B875AF6E53F699096E2FE95CBBB
              SHA1:7B59C7707159FC489BCC477ACD61248E1C4A155D
              SHA-256:0A326B06AAB1FA6BA3939DB15E82CB5F4387CE9C163C6A8458ACC8C79ABD5490
              SHA-512:E9C7D2FF9A691B8981E95A9279209AFC7652C4DAA99E346437419B13266CC97F44E1AF554B4DD2A5C2608DA44EE18B6CA329A7D1E3A9FD8DF58C84D08EE07090
              Malicious:false
              Reputation:unknown
              Preview:............ .(...v...``.... .........@@.... .(B..F...00.... ..%..n... .... ............... ............... .h...F...(............. ........................................................................ ...&...+...0...4...7...:...<...>...?...@...A...A...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...B...A...A...A...@...?...=...;...9...5...2...-...(...#....................................................H).....................................'...2$..=3..OB&.`J+.lP..vT0..U1..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2..W2

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\sqlite3.dll

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):904192
              Entropy (8bit):6.88205534156322
              Encrypted:false
              SSDEEP:
              MD5:94D1CAC0285C2C8297AD9B9C905D788B
              SHA1:8B0488BBD2AE665AC53C716ACAF849F73B75F301
              SHA-256:4B3F1E2470A96B8B1D600B23981FDA4CF69746544FE9815D499B90DD0433B42C
              SHA-512:F809C75D35E5F89459BE31A4824A2EBEBD156CB4D1BDD0C08364E26407F1BEF552B3012FFEBE2C2EDC45FCC86228BD3EF8DCDE502D06CAC8C5F415066001A0BD
              Malicious:false
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?...?...?..@....?..@....?..@....?......?...>...?..@....?..@....?..@....?.Rich..?.........PE..L...9..Y...........!.....:...........R.......P............................... ......;.....@.........................@...".......<.......x................#......XW...R..................................@............P...............................text...`9.......:.................. ..`.rdata..b....P.......>..............@....data...L~... ...\..................@....rsrc...x............d..............@..@.reloc..k`.......b...j..............@...........................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\ssleay32.dll

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):312240
              Entropy (8bit):6.590510132433095
              Encrypted:false
              SSDEEP:
              MD5:118A53026B4F7D4E19EFF27CD0638074
              SHA1:8B75D54697529A48204441369DD703E1CAE85C51
              SHA-256:4F35E0A6C0DC447A78D37CD36EB0008728DB2ABD00FDF7673AFE38CB6B128A37
              SHA-512:34B61D312BA208B566F43ED97BA79C6264E5EC88A4298E2EBD8A6173F263E0E228799AB9DB5CDBB163545A2C37FA83B6C3C1E1CF9EE5BB66E4D8426C2C4AF261
              Malicious:false
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Reputation:unknown
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&.}.b...b...b...EPh.`...k..B...k..t...k..a...b......k......k..c...k..c...k..c...Richb...................PE..L......N...........!.....|...<......................................................av..............................P'..p.......<.......8................#.......'..@...................................@............................................text....z.......|.................. ..`.rdata..............................@..@.data....P...P...6...6..............@....rsrc...8............l..............@..@.reloc...-...........r..............@..B........................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\web-com.dll

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):19577864
              Entropy (8bit):6.748199096863818
              Encrypted:false
              SSDEEP:
              MD5:749A04CBF47FAAF0D0A8F581E5856001
              SHA1:53DE36F243CE2AD1DED200A27012AB468FB95B54
              SHA-256:46D443ADEEF5CC5918F0E821B313069A1DE905A39EFC9CB3019787F7FB9E316E
              SHA-512:26A68C113B368CE0DD058A6207768EC75226A26653B5FBAF1466A17493956687536C5D8192C3660B4F9BF98CBB4C1099AF7F5AF236E35D7234B40E8BB331044E
              Malicious:false
              Reputation:unknown
              Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$..............A...A...A...@...A...@...A...@...A...A...A...@...A...@...A...@...AM..@...AO..@R..A...A...AO..@*..A...@...A...A...AM..@...AM..@...AM..A...AM..@...ARich...A........................PE..L...x.Yg...........!...*......}............................................. @......(+...@.........................0.$.0...`.$.......;...............*.......;.Hy............................#.....p.#.@..............p............................text............................... ..`.rdata..0.w......w.................@..@.data........$..T....$.............@....rsrc.........;.......&.............@..@.reloc..Hy....;..z....&.............@..B................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\s52g.1

              Download File
              Process:C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\WiseTurbo.exe
              File Type:very short file (no magic)
              Category:dropped
              Size (bytes):1
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:
              MD5:68B329DA9893E34099C7D8AD5CB9C940
              SHA1:ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC
              SHA-256:01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
              SHA-512:BE688838CA8686E5C90689BF2AB585CEF1137C999B48C70B92F67A5C34DC15697B5D11C982ED6D71BE1E1E7F7B4E0733884AA97C3F7A339A8ED03577CF74BE09
              Malicious:false
              Reputation:unknown
              Preview:.

              C:\Windows\Installer\603e40.msi

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: NAPS2 - Not Another PDF Scanner Community, Author: NAPS2 Software, Keywords: Installer, Comments: This installer database contains the logic and data required to install NAPS2 - Not Another PDF Scanner Community., Template: Intel;1033, Revision Number: {D4E1407D-493A-4BC6-AE29-ADBE9B2DC348}, Create Time/Date: Wed Dec 11 15:59:30 2024, Last Saved Time/Date: Wed Dec 11 15:59:30 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
              Category:dropped
              Size (bytes):18059264
              Entropy (8bit):7.996864696488209
              Encrypted:true
              SSDEEP:
              MD5:7EDAA17BCDC442895FE31A9093520E03
              SHA1:8A1E6F252759608E19508B46820A72C883624A7E
              SHA-256:CB8EE5026E0269E8253BE06CE4A2326BDD91433490CE18CC16AD0297E3D1447A
              SHA-512:D17392B60795F878F6345C83CE79752CFF43B7C1849EB31ED7820681A78829F9C21530D116F0DE82A025FEF2D893BA33B6B0D0F8536590FD0E4FC83D4A80E43C
              Malicious:false
              Reputation:unknown
              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Windows\Installer\MSI416B.tmp

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:data
              Category:dropped
              Size (bytes):7380
              Entropy (8bit):5.731544108708415
              Encrypted:false
              SSDEEP:
              MD5:8556C73BBEEBEEA4456DA71D1251A980
              SHA1:1D5E92D68149E5FA15AC2F4DAD1BF83CBDC3BEED
              SHA-256:D500C68E3A2D6C00E7D2B42455626E89D80F009C3AE0C8379409EE4F9C83AB77
              SHA-512:8704442490B08A92876F15D99C607DE8ADA8168BAF801907E48FA73084ED415695EF1596C5052A7648EA994FED730A0495D6BF7FFB87D8A5DEE6F81B4D7D71D1
              Malicious:false
              Reputation:unknown
              Preview:...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{7C90854F-C62E-43ED-A4EE-2712406CBF59}).NAPS2 - Not Another PDF Scanner Community..1.msi.@.....@.....@.....@........&.{D4E1407D-493A-4BC6-AE29-ADBE9B2DC348}.....@.....@.....@.....@.......@.....@.....@.......@....).NAPS2 - Not Another PDF Scanner Community......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{17895AE6-010E-E8A1-88C7-0A12982931D2}[.C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\BootPack.wpk.@.......@.....@.....@......&.{DDAB87CC-B48E-4894-8843-23859AF52533}_.C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\fileshredder.ico.@.......@.....@.....@......&.{92170750-BCBF-722E-587D-23DCF1C3A4E9}g.C:\Users\user\AppData\Local\Programs\NAPS2 - Not Another PDF Scanner Community\FilesystemDialogsCOM.dll.@.......@.....@.....@......

              C:\Windows\Installer\SourceHash{7C90854F-C62E-43ED-A4EE-2712406CBF59}

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:Composite Document File V2 Document, Cannot read section info
              Category:dropped
              Size (bytes):20480
              Entropy (8bit):1.1600480192661315
              Encrypted:false
              SSDEEP:
              MD5:0F1D49714D229969B488D4ED50B7B624
              SHA1:8B49400D051E89DD3A1E7769E588E4DBAD0FF4AA
              SHA-256:1C12A19C8046812B2B9F91E317325EEB2B2EFBD686F20757ACAF4829210AEF05
              SHA-512:A77A300353FBB22F069CD5FBAD361A0E434BC385DAB4A947B28538B0CDCAC30DFB82E733FFDA086938232C7F32750B71049B026C80B8A9543E177E0F417CDE1D
              Malicious:false
              Reputation:unknown
              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
              Category:dropped
              Size (bytes):454234
              Entropy (8bit):5.356166124520693
              Encrypted:false
              SSDEEP:
              MD5:41CD4245DFCC9F8C3A156839F9C88B27
              SHA1:30752EFC0B1CF1689B119A24FD3D7E221D84742B
              SHA-256:8B9D52B1B4C20136624A94FD6752B81599914D0F917C11F7D963376B97C93026
              SHA-512:DC65F90E8470BF27A0CF7A4702FC14F2921A69A9C901234D4D40C7E330A7806C9BD5DC0D0D13761628C5A88D5DCFC78BFB935B6D84CF9A195CAC18E21F5A94F3
              Malicious:false
              Reputation:unknown
              Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

              C:\Windows\Temp\~DF303A099BA6F064A7.TMP

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:data
              Category:dropped
              Size (bytes):69632
              Entropy (8bit):0.1253747253168695
              Encrypted:false
              SSDEEP:
              MD5:6A3F311CAF083CF9F1B5B4700730C268
              SHA1:6440A755BB1F41C6E1BF177558BC001FB4F043E2
              SHA-256:F9AEA081F439F3C32D0B791496FE99CC9FF15C7BD72314C219ECC061A54786A4
              SHA-512:99DF742DE0669BE656458AC94D3FDBFBB62481CFF6B98C239041E0D5973A9DC89E90F400DFD21DAA435CB7179B510DAB89274AD20468CF5932143F3FA2325048
              Malicious:false
              Reputation:unknown
              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Windows\Temp\~DF4DBD79E4A16D0A76.TMP

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:Composite Document File V2 Document, Cannot read section info
              Category:dropped
              Size (bytes):20480
              Entropy (8bit):1.5169778415625128
              Encrypted:false
              SSDEEP:
              MD5:0469BE412FBDD5AB5B5B830C5805B5F5
              SHA1:FD8C8E43192D621D57F67DFB006575F8F3DDC5ED
              SHA-256:A1E5BB1D035686AD90251C72F5884FA0836521BCE768E2739CD3360F153997B0
              SHA-512:B1FDF5B025E17044695F423232046737CA3AD9B8610DE515ED4B205F30F37F79002754B703387BE4518ABEAD1ADDAD16D5D7C55C0E331F5BBD444B80B29BCADA
              Malicious:false
              Reputation:unknown
              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Windows\Temp\~DFA5A7FC85CC9F2330.TMP

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:Composite Document File V2 Document, Cannot read section info
              Category:dropped
              Size (bytes):32768
              Entropy (8bit):1.2188320906623649
              Encrypted:false
              SSDEEP:
              MD5:DC8E3D81DDF2CCD477AD126896777BA6
              SHA1:F81F5B5AD26B2F50D7350E38BAEA1E643C4223F6
              SHA-256:62C065232D9A2C14987AD6A290AC0FDA70EA41D2298DD52ACF03E339D200CEAE
              SHA-512:565C183A3EEA1E2171EF22BE0B05FB27F65800497051C673B24AE0CB8802748E2A0CA5F94057531FCBD5381E1CE4540DD3365E8B8BB888D9432C0AD230B0FCAE
              Malicious:false
              Reputation:unknown
              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Windows\Temp\~DFA6983ABFC0BFD427.TMP

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:data
              Category:dropped
              Size (bytes):32768
              Entropy (8bit):0.06707147105970726
              Encrypted:false
              SSDEEP:
              MD5:DB29E4AECAB2A7650337836393AA520F
              SHA1:4892C61A8F3DBB33F66B6695A5B8BD7105781CAF
              SHA-256:0FD2752052CBAED1548292108923703878CBC1801CABDB254417C96AB325841E
              SHA-512:28B4D02C61EBEFB09ABB655E22225B66BC19A39C707E7B6721809464FBFDB10FFECB0EE1E31EA12DA98042AB744F74EA0DE64B5056CE18301C4EF419F489B080
              Malicious:false
              Reputation:unknown
              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Windows\Temp\~DFD4F6CED25A5FC4BB.TMP

              Download File
              Process:C:\Windows\System32\msiexec.exe
              File Type:data
              Category:dropped
              Size (bytes):512
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:
              MD5:BF619EAC0CDF3F68D496EA9344137E8B
              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
              Malicious:false
              Reputation:unknown
              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: NAPS2 - Not Another PDF Scanner Community, Author: NAPS2 Software, Keywords: Installer, Comments: This installer database contains the logic and data required to install NAPS2 - Not Another PDF Scanner Community., Template: Intel;1033, Revision Number: {D4E1407D-493A-4BC6-AE29-ADBE9B2DC348}, Create Time/Date: Wed Dec 11 15:59:30 2024, Last Saved Time/Date: Wed Dec 11 15:59:30 2024, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
              Entropy (8bit):7.996864696488209
              TrID:
              • Microsoft Windows Installer (60509/1) 88.31%
              • Generic OLE2 / Multistream Compound File (8008/1) 11.69%
              File name:1.e
              File size:18'059'264 bytes
              MD5:7edaa17bcdc442895fe31a9093520e03
              SHA1:8a1e6f252759608e19508b46820a72c883624a7e
              SHA256:cb8ee5026e0269e8253be06ce4a2326bdd91433490ce18cc16ad0297e3d1447a
              SHA512:d17392b60795f878f6345c83ce79752cff43b7c1849eb31ed7820681a78829f9c21530d116f0de82a025fef2d893ba33b6b0d0f8536590fd0e4fc83d4a80e43c
              SSDEEP:393216:NQcVLz2NPreEui/O2EmRjrTJaZosg1zk22p9GOnXIaOkp8t4q:T16xu61DcO1z59OXD8tl
              TLSH:FD073306E3CBCEACC4FA11FD6B22B256071DCD455D2855A3D456F8B63C377F2228628A
              File Content Preview:........................>......................................................................................................................................................................................................................................

              File Icon

              Icon Hash:2d2e3797b32b2b99