Edit tour

Windows Analysis Report
https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739

Overview

General Information

Sample URL:https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741
Analysis ID:1633116
Infos:

Detection

Remcos, DBatLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Allocates memory in foreign processes
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Queues an APC in another process (thread injection)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the user directory
Queries the volume information (name, serial number etc) of a device
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Yara detected Keylogger Generic
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • chrome.exe (PID: 6800 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 7028 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12069103136976824217,1151327071205399440,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 5936 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • rundll32.exe (PID: 5840 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • List Of required Pump Spares,Xls.exe (PID: 3004 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe" MD5: 222C293BB11D11C06A3354E257C85035)
    • cmd.exe (PID: 3328 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4976.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • esentutl.exe (PID: 6440 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)
      • alpha.pif (PID: 2284 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • alpha.pif (PID: 2016 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 6324 cmdline: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\7811.cmd"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • PING.EXE (PID: 6420 cmdline: ping 127.0.0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • SndVol.exe (PID: 7216 cmdline: C:\Windows\System32\SndVol.exe MD5: BD4A1CC3429ED1251E5185A72501839B)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
DBatLoaderThis Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
SourceRuleDescriptionAuthorStrings
00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6d770:$a1: Remcos restarted by watchdog!
        • 0x6ddc0:$a3: %02i:%02i:%02i:%03i
        00000011.00000002.2224658697.00000000023F9000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
          Click to see the 11 entries

          System Summary

          barindex
          Source: File createdAuthor: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe, ProcessId: 3004, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4976.cmd"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3328, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 2284, ProcessName: alpha.pif
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\\Users\\user\\Links\Oxbpthwf.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe, ProcessId: 3004, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Oxbpthwf
          Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4976.cmd"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3328, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 2284, ProcessName: alpha.pif

          Stealing of Sensitive Information

          barindex
          Source: Registry Key setAuthor: Joe Security: Data: Details: 8C A9 EF EF FC 15 56 C3 64 EB D2 D2 7E 5F DF 5C C7 6A 28 54 3E 2F 68 95 0C 83 B3 51 E9 B6 F4 87 3F DD CC F7 3B 24 9A B9 44 B8 3E 3D C4 26 3C F8 03 82 C5 F9 1A 6C F1 2A 02 08 FA BD FF 44 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\SndVol.exe, ProcessId: 7216, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-14MUP4\exepath
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-03-09T22:00:07.374174+010020365941Malware Command and Control Activity Detected192.168.2.1649727193.9.36.15200TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: Yara matchFile source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.2404479578.0000000033227000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

          Exploits

          barindex
          Source: Yara matchFile source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: chrome.exeMemory has grown: Private usage: 18MB later: 39MB

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49727 -> 193.9.36.1:5200
          Source: unknownDNS query: name: baddieszn.duckdns.org
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
          Source: unknownTCP traffic detected without corresponding DNS query: 142.250.181.227
          Source: unknownTCP traffic detected without corresponding DNS query: 2.16.100.168
          Source: unknownTCP traffic detected without corresponding DNS query: 142.250.181.227
          Source: unknownTCP traffic detected without corresponding DNS query: 2.16.100.168
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739 HTTP/1.1Host: drive.usercontent.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Browser-Channel: stableX-Browser-Year: 2025X-Browser-Validation: wTKGXmLo+sPWz1JKKbFzUyHly1Q=X-Browser-Copyright: Copyright 2025 Google LLC. All rights reserved.X-Client-Data: CLbgygE=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
          Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
          Source: global trafficDNS traffic detected: DNS query: www.google.com
          Source: global trafficDNS traffic detected: DNS query: baddieszn.duckdns.org
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
          Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
          Source: Yara matchFile source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.2404479578.0000000033227000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6800_429536495
          Source: C:\Users\Public\alpha.pifFile created: C:\Windows
          Source: C:\Users\Public\alpha.pifFile created: C:\Windows \SysWOW64
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6800_429536495
          Source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: classification engineClassification label: mal100.troj.expl.evad.win@43/9@5/93
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\140190b2-e06c-4ef3-891e-b0091b139139.tmp
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6376:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3936:120:WilError_03
          Source: C:\Windows\SysWOW64\SndVol.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-14MUP4
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12069103136976824217,1151327071205399440,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739"
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2020,i,12069103136976824217,1151327071205399440,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe "C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe"
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4976.cmd""
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\7811.cmd""
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\4976.cmd""
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\7811.cmd""
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: apphelp.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: msimg32.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: version.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: uxtheme.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: url.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ieframe.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: iertutil.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: netapi32.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: userenv.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: winhttp.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: wkscli.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: netutils.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: wldp.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: propsys.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ???.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??????s?.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: winmm.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ????.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??l.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ????.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ????.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: wininet.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: sspicli.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: profapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: amsi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: mswsock.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ieproxy.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: winnsi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: msasn1.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: mssip32.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: smartscreenps.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??????????.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??l.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ????.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ???e???????????.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ???e???????????.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??l.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: ??l.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: sppc.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: tquery.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: cryptdll.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: spp.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: vssapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: vsstrace.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: endpointdlp.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: endpointdlp.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: endpointdlp.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: endpointdlp.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: advapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: advapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: advapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: advapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: advapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: advapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: advapi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: sppwmi.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: slc.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: sppcext.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: winscard.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: devobj.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeSection loaded: cryptbase.dll
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
          Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
          Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: esent.dll
          Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\esentutl.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: uxtheme.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: dwmapi.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: winmm.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: urlmon.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: iertutil.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: srvcli.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: netutils.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: wininet.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: mswsock.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: dnsapi.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: rsaenh.dll
          Source: C:\Windows\SysWOW64\SndVol.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected

          Data Obfuscation

          barindex
          Source: Yara matchFile source: 00000011.00000002.2224658697.00000000023F9000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          Persistence and Installation Behavior

          barindex
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeFile created: C:\Users\user\Links\Oxbpthwf.PIFJump to dropped file
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeFile created: C:\Users\user\Links\Oxbpthwf.PIFJump to dropped file
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file

          Boot Survival

          barindex
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Oxbpthwf
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Oxbpthwf
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\SndVol.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeProcess queried: DebugPort

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exe
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeMemory allocated: C:\Windows\SysWOW64\SndVol.exe base: 3070000 protect: page execute and read and write
          Source: C:\Windows\SysWOW64\esentutl.exeFile created: C:\Users\Public\alpha.pifJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeThread APC queued: target process: C:\Windows\SysWOW64\SndVol.exe
          Source: C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exeProcess created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\SndVol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.2404479578.0000000033227000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Source: C:\Windows\SysWOW64\SndVol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-14MUP4
          Source: Yara matchFile source: 00000011.00000002.2240713127.000000007E960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.2225707271.00000000029B5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.2384867286.0000000003070000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.2404479578.0000000033227000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          Registry Run Keys / Startup Folder
          311
          Process Injection
          221
          Masquerading
          OS Credential Dumping1
          Security Software Discovery
          Remote ServicesData from Local System1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading
          1
          Registry Run Keys / Startup Folder
          1
          Disable or Modify Tools
          LSASS Memory1
          Virtualization/Sandbox Evasion
          Remote Desktop ProtocolData from Removable Media1
          Remote Access Software
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading
          1
          Virtualization/Sandbox Evasion
          Security Account Manager1
          Remote System Discovery
          SMB/Windows Admin SharesData from Network Shared Drive1
          Ingress Tool Transfer
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          Extra Window Memory Injection
          311
          Process Injection
          NTDS1
          System Network Configuration Discovery
          Distributed Component Object ModelInput Capture2
          Non-Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Rundll32
          LSA Secrets12
          System Information Discovery
          SSHKeylogging13
          Application Layer Protocol
          Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading
          Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          File Deletion
          DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Extra Window Memory Injection
          Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A17414309357390%Avira URL Cloudsafe
          SourceDetectionScannerLabelLink
          C:\Users\Public\alpha.pif0%ReversingLabs
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          NameIPActiveMaliciousAntivirus DetectionReputation
          drive.usercontent.google.com
          142.250.185.161
          truefalse
            high
            www.google.com
            172.217.16.196
            truefalse
              high
              baddieszn.duckdns.org
              193.9.36.1
              truetrue
                unknown
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                142.250.181.238
                unknownUnited States
                15169GOOGLEUSfalse
                142.250.185.67
                unknownUnited States
                15169GOOGLEUSfalse
                64.233.167.84
                unknownUnited States
                15169GOOGLEUSfalse
                1.1.1.1
                unknownAustralia
                13335CLOUDFLARENETUSfalse
                193.9.36.1
                baddieszn.duckdns.orgCzech Republic
                204860NETXNetXNetworksasCZtrue
                142.250.185.161
                drive.usercontent.google.comUnited States
                15169GOOGLEUSfalse
                142.250.186.174
                unknownUnited States
                15169GOOGLEUSfalse
                142.250.186.110
                unknownUnited States
                15169GOOGLEUSfalse
                142.250.184.227
                unknownUnited States
                15169GOOGLEUSfalse
                172.217.16.196
                www.google.comUnited States
                15169GOOGLEUSfalse
                IP
                192.168.2.16
                127.0.0.1
                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1633116
                Start date and time:2025-03-09 21:59:38 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                Sample URL:https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&export=download&authuser=0&confirm=t&uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:27
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • EGA enabled
                Analysis Mode:stream
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.expl.evad.win@43/9@5/93
                • Exclude process from analysis (whitelisted): svchost.exe
                • Excluded IPs from analysis (whitelisted): 142.250.181.238, 142.250.184.227, 142.250.186.110, 64.233.167.84, 142.250.185.110, 216.58.212.142
                • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenFile calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: https://drive.usercontent.google.com/download?id=1csUAHzl5phAivnL_FVU8zqjxtpRv7Og8&amp;export=download&amp;authuser=0&amp;confirm=t&amp;uuid=f16b6afb-dca7-4370-8c11-5cabe39fa2cf&amp;at=AEz70l6vwdQslvq2_uI3E4aAxmok%3A1741430935739
                Process:C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe
                File Type:Unicode text, UTF-8 text, with very long lines (324), with CRLF line terminators
                Category:dropped
                Size (bytes):19854
                Entropy (8bit):4.799579726516822
                Encrypted:false
                SSDEEP:
                MD5:1DF650CCA01129127D30063634AB5C03
                SHA1:BC7172DEC0B12B05F2247BD5E17751EB33474D4E
                SHA-256:EDD4094E7A82A6FF8BE65D6B075E9513BD15A6B74F8032B5C10CE18F7191FA60
                SHA-512:0BDDF9ECAAEDB0C30103A1FBFB644D6D4F7608BD596403307ED89B2390568C3A29E2CF55D10E2EADBFC407EDE52EAF9A4F2321BA5F37E358A1039F73C7688FBD
                Malicious:false
                Reputation:unknown
                Preview:@%........%e%..... ....%c%.. .. ..%h%.....%o% % %..o.... %o%.%f%..%f%...%..c%...r...%l%......%s%... .%..@%.....%e%..%c%.....%h%... .....%o% .. % %. ...%o%........%f%.%f%..........%..s%. . ... %e%...... ...%t%.. .. .% %.....%"%.....%s%. ..%Z%.....%k%...%r% .... ...%=%.........%s%. %e%.%t%....... ..% %. ...... %"%.......%..%sZkr%"%... .. ...%t%...%w%..%V%.... .%Y%.....%=% ...... .%=%. .....%"%.. . ....%..%sZkr%"%.......%t%.%A%.....%h%......%U%....%M%.... . %m%........%L% .....%r%.%f%..%R%... %%twVY%r%.%e%.. . . ..%m%..........% %. .%"%..%..%sZkr%"%. .....%K%. ..%j% %M% ......%q%.... .....%h%...%Y% ...%E%.. %O%.
                Process:C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe
                File Type:Unicode text, UTF-8 text, with very long lines (577), with CRLF line terminators
                Category:dropped
                Size (bytes):2860
                Entropy (8bit):4.335677764406247
                Encrypted:false
                SSDEEP:
                MD5:9A020804EBA1FFAC2928D7C795144BBF
                SHA1:61FDC4135AFDC99E106912AEAFEAC9C8A967BECC
                SHA-256:A86C6C7A2BF9E12C45275A5E7EBEBD5E6D2BA302FE0A12600B7C9FDF283D9E63
                SHA-512:42F6D754F1BDBEB6E4CC7AEB57FF4C4D126944F950D260A0839911E576AD16002C16122F81C1D39FA529432DCA0A48C9ACFBB18804CA9044425C8E424A5518BE
                Malicious:false
                Reputation:unknown
                Preview:@%.....%e%........r%c%....r%h%rr%o%.o...% %... ..%o%..%f%r..r...%f%.. ......%.."%........%C% %:% .%\%.........%W% ...o.. .%i%...o...%n%o..r.....%d%.........%o%. ..%w%....r.%s%....% %...%\%.o....%S%... %y%.. ....%s%...%W% .%O%....%W%...%6%o.o.r%4%......%\%....%s%....%v%.........%c%......%h%..%o%.......%s%......%t%....o.....%.%.........%p%.......%i%.....%f%... .r...%"%..% % ...%>%.........%n%..........%u%.........o%l%.. .o...% %.r...r...% % ..%&%.......o%..p%........
                Process:C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe
                File Type:Unicode text, UTF-8 text, with very long lines (372), with CRLF line terminators
                Category:dropped
                Size (bytes):17570
                Entropy (8bit):4.749675665870814
                Encrypted:false
                SSDEEP:
                MD5:5BAF253744AD26F35BA17DB6B80763E9
                SHA1:6235B00643E324AC5FEA07F9ADAE9F2A0DB56B99
                SHA-256:9CBB41E6C4F8565A6D121B770FCF3F15A6891C8DF8BFBA6D0414B3AD3298BDBA
                SHA-512:5C949A081D922963745A3F0DEEE87C9D862D278889A6C7790AABF34BC09E04DCE7B3AB41EF7A4F584571CCA739AF0A1DEA4FA244C378696AC7EA6D6AC9B415F8
                Malicious:false
                Reputation:unknown
                Preview:@%... ...%e%....%c%........ .%h%.%o% ...... .% %.....%o%...... ..%f%.... %f%....%..s%... .%e%... ..%t% ........% %.......%"% ..%o%....... .%R%.... ...%W%....%d%......%=%...%s%.. ... %e%........ %t%.... % %. . . .%"%.. .......%..%oRWd%"%..%E%......%V% ...... ..%O%...%s%.. %=% .... %=%..... .%"%...%..%oRWd%"%. . .....%H%....... ..%F% .......%u%...%B%. . ...%q%..%x%... .%m%... ... .%o%....%X%.. .%C%... .%%EVOs%C%....... .%l% .%o%........%a%...... .%"%.. . %..%oRWd%"%.... .....%C%...%l%. .... ..%K%.....%K%... ... %T%.....%x%... %k%.. ... %q%..... ....%R%.. ... %w%.%%EVOs%r%. ... ...%e%..... ..%m%...% %......%"% ...%..%oRWd%"%. %C%. . .%M%....%m%.
                Process:C:\Windows\SysWOW64\esentutl.exe
                File Type:PE32 executable (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):236544
                Entropy (8bit):6.4416694948877025
                Encrypted:false
                SSDEEP:
                MD5:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                SHA1:4048488DE6BA4BFEF9EDF103755519F1F762668F
                SHA-256:4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
                SHA-512:80E127EF81752CD50F9EA2D662DC4D3BF8DB8D29680E75FA5FC406CA22CAFA5C4D89EF2EAC65B486413D3CDD57A2C12A1CB75F65D1E312A717D262265736D1C2
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Reputation:unknown
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.............................. k............@..................................j....@.................................................................p...%...5..T............................................................................text............................... ..`.data...8...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...%...p...&...v..............@..B................................................................................................................................................................................................................................................................................
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:Zip archive data, at least v1.0 to extract, compression method=store
                Category:dropped
                Size (bytes):5014
                Entropy (8bit):7.96161778783884
                Encrypted:false
                SSDEEP:
                MD5:19CC85625A3D721157BB51658EB884AD
                SHA1:9324F7B83BD45BB6BA5E20EF7639FAD47627FA89
                SHA-256:0605AA637A7A0878E44501E1145B209FC8646068DD77AFF2EA13B8FF3E4D0BB5
                SHA-512:356E8FD6CE12489039F9C9C19AFF67D73C18C9A083AD47669B0BA4D11D1E2F74A5B27E211FA632F529A084C00BA50FC052EC278386B473D7501ACBB04DD7FCE7
                Malicious:false
                Reputation:unknown
                Preview:PK..........hZ................MV NEMO 1,PDF/PK..........hZk.e.K0....F.....MV NEMO 1,PDF/Inquiry MSCS-PR2024-2728,PDF.cmd.n..8A..p..2..V..Q..O..">.4.R5.....[8K:......c1JmV.?..'.c.....r/...L...N.......*.Z.&..V...>.L.M.or..v.:.6#]..j.W...(\K_"X.....&ZL)...L.5.`.Y.@.ZU8.Gg....O....O....2..D..x..A...b".i.(=. ..t..k.~.....V..7!..'U}...7-..R.1t`Q.\)d........!]...=.Y1....5.P....F..D3^#...;.!..7...uA...w....{...;~.\..2.M..I..'gc...../....z5.?...8e.#...7G}.....c.q..z.tL...%..F...&..MF.q}......<.vt.LM....>.....L...Q..'.|6.[.."ax@......6-..sB.ZO}..........@5..{,........A0.v.....=4Z/_.H....a........A3.o.w.|...}y.TUZ...].E.se.11%/.iw....5.%,./^.~.".v.......K.FJ.#...+3|A>..G.....V..P..............`;......J.Jh........5".).u..........{...hY......|..YT..`.O.d.1b$".........:.E...A....w6.(....!:...k2.....N=.}....s..]S...!.wl&.......<............K...9.m...2o....O.&.....[C.}7...CO....4.,`..#.`.E........wB.$.....a%I.|u+Sr.h.V..W.U ..&r...,..%.v....U.n.C%...
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:Zip archive data, at least v1.0 to extract, compression method=store
                Category:dropped
                Size (bytes):0
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:
                MD5:19CC85625A3D721157BB51658EB884AD
                SHA1:9324F7B83BD45BB6BA5E20EF7639FAD47627FA89
                SHA-256:0605AA637A7A0878E44501E1145B209FC8646068DD77AFF2EA13B8FF3E4D0BB5
                SHA-512:356E8FD6CE12489039F9C9C19AFF67D73C18C9A083AD47669B0BA4D11D1E2F74A5B27E211FA632F529A084C00BA50FC052EC278386B473D7501ACBB04DD7FCE7
                Malicious:false
                Reputation:unknown
                Preview:PK..........hZ................MV NEMO 1,PDF/PK..........hZk.e.K0....F.....MV NEMO 1,PDF/Inquiry MSCS-PR2024-2728,PDF.cmd.n..8A..p..2..V..Q..O..">.4.R5.....[8K:......c1JmV.?..'.c.....r/...L...N.......*.Z.&..V...>.L.M.or..v.:.6#]..j.W...(\K_"X.....&ZL)...L.5.`.Y.@.ZU8.Gg....O....O....2..D..x..A...b".i.(=. ..t..k.~.....V..7!..'U}...7-..R.1t`Q.\)d........!]...=.Y1....5.P....F..D3^#...;.!..7...uA...w....{...;~.\..2.M..I..'gc...../....z5.?...8e.#...7G}.....c.q..z.tL...%..F...&..MF.q}......<.vt.LM....>.....L...Q..'.|6.[.."ax@......6-..sB.ZO}..........@5..{,........A0.v.....=4Z/_.H....a........A3.o.w.|...}y.TUZ...].E.se.11%/.iw....5.%,./^.~.".v.......K.FJ.#...+3|A>..G.....V..P..............`;......J.Jh........5".).u..........{...hY......|..YT..`.O.d.1b$".........:.E...A....w6.(....!:...k2.....N=.}....s..]S...!.wl&.......<............K...9.m...2o....O.&.....[C.}7...CO....4.,`..#.`.E........wB.$.....a%I.|u+Sr.h.V..W.U ..&r...,..%.v....U.n.C%...
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:Zip archive data, at least v1.0 to extract, compression method=store
                Category:dropped
                Size (bytes):0
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:
                MD5:19CC85625A3D721157BB51658EB884AD
                SHA1:9324F7B83BD45BB6BA5E20EF7639FAD47627FA89
                SHA-256:0605AA637A7A0878E44501E1145B209FC8646068DD77AFF2EA13B8FF3E4D0BB5
                SHA-512:356E8FD6CE12489039F9C9C19AFF67D73C18C9A083AD47669B0BA4D11D1E2F74A5B27E211FA632F529A084C00BA50FC052EC278386B473D7501ACBB04DD7FCE7
                Malicious:false
                Reputation:unknown
                Preview:PK..........hZ................MV NEMO 1,PDF/PK..........hZk.e.K0....F.....MV NEMO 1,PDF/Inquiry MSCS-PR2024-2728,PDF.cmd.n..8A..p..2..V..Q..O..">.4.R5.....[8K:......c1JmV.?..'.c.....r/...L...N.......*.Z.&..V...>.L.M.or..v.:.6#]..j.W...(\K_"X.....&ZL)...L.5.`.Y.@.ZU8.Gg....O....O....2..D..x..A...b".i.(=. ..t..k.~.....V..7!..'U}...7-..R.1t`Q.\)d........!]...=.Y1....5.P....F..D3^#...;.!..7...uA...w....{...;~.\..2.M..I..'gc...../....z5.?...8e.#...7G}.....c.q..z.tL...%..F...&..MF.q}......<.vt.LM....>.....L...Q..'.|6.[.."ax@......6-..sB.ZO}..........@5..{,........A0.v.....=4Z/_.H....a........A3.o.w.|...}y.TUZ...].E.se.11%/.iw....5.%,./^.~.".v.......K.FJ.#...+3|A>..G.....V..P..............`;......J.Jh........5".).u..........{...hY......|..YT..`.O.d.1b$".........:.E...A....w6.(....!:...k2.....N=.}....s..]S...!.wl&.......<............K...9.m...2o....O.&.....[C.}7...CO....4.,`..#.`.E........wB.$.....a%I.|u+Sr.h.V..W.U ..&r...,..%.v....U.n.C%...
                Process:C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):1661952
                Entropy (8bit):7.646882902772495
                Encrypted:false
                SSDEEP:
                MD5:222C293BB11D11C06A3354E257C85035
                SHA1:92D0448B482866449C4F512C561A4F29F22361B1
                SHA-256:0833804BEAB831182EBF446C828867653C7B8F1BBE13292421574CDE78C7C70C
                SHA-512:8ECA8708AB931B17F0B5DCB178BCCABDC6DA03FB1E541F72F7777EECEA7D116E37BFEFCDE4C5E3EC3863CD5220FC70AD65662166C94D271AAF317623F4D3EDE3
                Malicious:true
                Reputation:unknown
                Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*............................\.............@..............................................@...........................0...$...............................b...........................p.......................6...............................text............................... ..`.itext.............................. ..`.data....?.......@..................@....bss.....6...............................idata...$...0...&..................@....tls....4....`...........................rdata.......p......................@..@.reloc...b.......d..................@..B.rsrc................^..............@..@.....................\..............@..@................................................................................................
                Process:C:\Users\user\AppData\Local\Temp\Temp1_MV NEMO 1,PDF.zip\MV NEMO 1,PDF\List Of required Pump Spares,Xls.exe
                File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\user\\Links\\Oxbpthwf.PIF">), ASCII text, with CRLF line terminators
                Category:modified
                Size (bytes):98
                Entropy (8bit):5.19472499211448
                Encrypted:false
                SSDEEP:
                MD5:955A21D4A725634E57CEA44433EAC639
                SHA1:077963F2D721598D32AC77DEF033E5676FC14FB7
                SHA-256:AC662F9258D8CA41834E997C9A430AF01F8C11B6D4631C496739F0F1568C5B82
                SHA-512:852EB1942EA9225DC5EAD1025AD97FAFF5FD20169D1D54BA5BDFEFC287CAFE65E1B239EE737422127F59BF201CF423950425E49B89ADBA1D55CA43572E4B0F71
                Malicious:false
                Reputation:unknown
                Preview:[InternetShortcut]..URL=file:"C:\\Users\\user\\Links\\Oxbpthwf.PIF"..IconIndex=969225..HotKey=71..
                Process:C:\Windows\SysWOW64\PING.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):725
                Entropy (8bit):4.868584691050065
                Encrypted:false
                SSDEEP:
                MD5:27F901942E2BE9E01DA24E1C80941B62
                SHA1:324A01E9417C05287F26B5734155DA9D904AD763
                SHA-256:34CCF4E63793D0BFDD0A1E8A836D82C8EBB9114664F0BCA250D159BE4ACA9B5B
                SHA-512:6830C321D62454D97360CB7913F2AA674D74C08DC8FA62B3985CC0B685B735E980152626E45413DE19DAE9D79CDB2320187A87EFD0BE7558563113BDA853CAF2
                Malicious:false
                Reputation:unknown
                Preview:..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..
                No static file info