Edit tour

Windows Analysis Report
3SqWYf8qFi.exe

Overview

General Information

Sample name:	3SqWYf8qFi.exe renamed because original name is a hash value
Original sample name:	27b3e45a81641d0e7d0dea29938774ae.exe
Analysis ID:	1407471
MD5:	27b3e45a81641d0e7d0dea29938774ae
SHA1:	b169677b0772e523a49aee97a0d5aca89ade3068
SHA256:	ab7237aba6c89c09aeaf5111575614041aafc280f2461f3e669195ce6943e4e1
Tags:	64exe
Infos:

Detection

Glupteba, Mars Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected Glupteba

Yara detected Mars stealer

Yara detected Stealc

Yara detected Vidar stealer

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Creates HTML files with .exe extension (expired dropper behavior)

Disables UAC (registry)

Drops script or batch files to the startup folder

Found Tor onion address

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to several IPs in different countries

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

3SqWYf8qFi.exe (PID: 6908 cmdline: C:\Users\user\Desktop\3SqWYf8qFi.exe MD5: 27B3E45A81641D0E7D0DEA29938774AE)

powershell.exe (PID: 43952 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 14400 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

CasPol.exe (PID: 43980 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

vkIsjAzkgrOzUK7uj2IHc9JM.exe (PID: 8660 cmdline: "C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe" MD5: AF528677E66608860208878377380FD9)

syncUpd.exe (PID: 9392 cmdline: C:\Users\user\AppData\Local\Temp\syncUpd.exe MD5: C722591F624FB69970F246B8C81D830F)

BroomSetup.exe (PID: 10876 cmdline: C:\Users\user\AppData\Local\Temp\BroomSetup.exe MD5: EEE5DDCFFBED16222CAC0A1B4E2E466E)

cmd.exe (PID: 14184 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 14804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

F3bLUEvvHahM06jSZWbJPDdX.exe (PID: 9004 cmdline: "C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe" MD5: 5F2CE2E258A6EEF93E5E22DCE2717F82)

rMuSSyE2z14xNxfrVLVv1kvs.exe (PID: 9124 cmdline: "C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe" --silent --allusers=0 MD5: 18A0C971C87F30E90DC78E5331D1643C)

rMuSSyE2z14xNxfrVLVv1kvs.exe (PID: 11524 cmdline: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4b21c8,0x6c4b21d4,0x6c4b21e0 MD5: 18A0C971C87F30E90DC78E5331D1643C)

rMuSSyE2z14xNxfrVLVv1kvs.exe (PID: 14548 cmdline: "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\rMuSSyE2z14xNxfrVLVv1kvs.exe" --version MD5: 18A0C971C87F30E90DC78E5331D1643C)

wQ9dgKtBZDeIUddSVpW8BvEm.exe (PID: 9196 cmdline: "C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe" MD5: 95B643F1AB74DB2FD054852EF281577D)

jpm6qF5Qiq3f7hmREIabTmaO.exe (PID: 9252 cmdline: "C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe" MD5: 95B643F1AB74DB2FD054852EF281577D)

dC7amCutZVjsSWxQ9FIlZYqw.exe (PID: 9408 cmdline: "C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe" MD5: 5F2CE2E258A6EEF93E5E22DCE2717F82)

3iX1J0J7PXcnIfnf5KGl849r.exe (PID: 9436 cmdline: "C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe" MD5: AF528677E66608860208878377380FD9)

UPwYHcUA3TbsX6l2qc9SZcBH.exe (PID: 10536 cmdline: "C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe" --silent --allusers=0 MD5: 968B869AA841B0C675BF2C61DFEAA509)

UPwYHcUA3TbsX6l2qc9SZcBH.exe (PID: 13116 cmdline: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d4,0x300,0x6b8021c8,0x6b8021d4,0x6b8021e0 MD5: 968B869AA841B0C675BF2C61DFEAA509)

H1Mms5Gptfho9VyHt62sHSNN.exe (PID: 10652 cmdline: "C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe" MD5: AF528677E66608860208878377380FD9)

VWhRbFHRqImCr0UdFf6QtJNt.exe (PID: 10908 cmdline: "C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe" MD5: AF528677E66608860208878377380FD9)

f2CDTsUNlMadewChtQe3a8Da.exe (PID: 10968 cmdline: "C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe" MD5: 95B643F1AB74DB2FD054852EF281577D)

VySSnHhKNg09wrV9qkpgKtg9.exe (PID: 11056 cmdline: "C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe" MD5: 5F2CE2E258A6EEF93E5E22DCE2717F82)

dZhcoTSgym1JGRiEQOUqAdeo.exe (PID: 11100 cmdline: "C:\Users\user\Pictures\dZhcoTSgym1JGRiEQOUqAdeo.exe" MD5: 5F2CE2E258A6EEF93E5E22DCE2717F82)

rfKusEcfqkKKVyx19jVITYlO.exe (PID: 11164 cmdline: "C:\Users\user\Pictures\rfKusEcfqkKKVyx19jVITYlO.exe" MD5: 95B643F1AB74DB2FD054852EF281577D)

Rfsq67IamA4rPpnX6LHMDFkm.exe (PID: 11280 cmdline: "C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe" --silent --allusers=0 MD5: 9BFF769347ADF4195895A2AA8C977EFF)

Rfsq67IamA4rPpnX6LHMDFkm.exe (PID: 13232 cmdline: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x304,0x6bd721c8,0x6bd721d4,0x6bd721e0 MD5: 9BFF769347ADF4195895A2AA8C977EFF)

zKY9gVt7bugdAVV29pfHDO1J.exe (PID: 11604 cmdline: "C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe" --silent --allusers=0 MD5: 9D6D8C23FE185D39AA9259B64543248E)

zKY9gVt7bugdAVV29pfHDO1J.exe (PID: 14488 cmdline: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6ae821c8,0x6ae821d4,0x6ae821e0 MD5: 9D6D8C23FE185D39AA9259B64543248E)

mxmsi31bOIKdEb9VIHBYJshQ.exe (PID: 13968 cmdline: "C:\Users\user\Pictures\mxmsi31bOIKdEb9VIHBYJshQ.exe" MD5: AF528677E66608860208878377380FD9)

j1XOgROBJfvz0cRzU7rPw7NS.exe (PID: 14020 cmdline: "C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe" --silent --allusers=0 MD5: 6E7737F5251D3BC5CF1D0D75778589ED)

j1XOgROBJfvz0cRzU7rPw7NS.exe (PID: 15840 cmdline: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a9c21c8,0x6a9c21d4,0x6a9c21e0 MD5: 6E7737F5251D3BC5CF1D0D75778589ED)

2n6aZsnLKtKXJNMzWvG8Ou1L.exe (PID: 14148 cmdline: "C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe" --silent --allusers=0 MD5: 3C982E3594F2F49BE9CB21C88EDA12D6)

2n6aZsnLKtKXJNMzWvG8Ou1L.exe (PID: 16532 cmdline: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a5021c8,0x6a5021d4,0x6a5021e0 MD5: 3C982E3594F2F49BE9CB21C88EDA12D6)

jLh2jXNiKaCQ93A91IuQMDiC.exe (PID: 14256 cmdline: "C:\Users\user\Pictures\jLh2jXNiKaCQ93A91IuQMDiC.exe" MD5: AF528677E66608860208878377380FD9)

VF98zhY4QVhDxJpNtAE2TU6d.exe (PID: 14320 cmdline: "C:\Users\user\Pictures\VF98zhY4QVhDxJpNtAE2TU6d.exe" MD5: 95B643F1AB74DB2FD054852EF281577D)

CasPol.exe (PID: 7340 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

WerFault.exe (PID: 7948 cmdline: C:\Windows\system32\WerFault.exe -u -p 6908 -s 56832 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Glupteba	Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.	No Attribution	http://resources.infosecinstitute.com/tdss4-part-1/ https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/ https://blog.google/technology/safety-security/new-action-combat-cyber-crime/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "185.172.128.145/3cd2b41cbde8fc9c.php"}

Threatname: Vidar

{"C2 url": "http://185.172.128.145/3cd2b41cbde8fc9c.php"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000026.00000001.2270329448.0000000000843000.00000040.00000001.01000000.0000002A.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000000F.00000003.1947105334.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000F.00000003.1947105334.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000000F.00000002.2876636083.0000000000400000.00000040.00000001.01000000.0000000D.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000F.00000002.2876636083.0000000000400000.00000040.00000001.01000000.0000000D.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000000F.00000002.2877180819.00000000006A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000F.00000002.2877180819.00000000006A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000000F.00000002.2877180819.00000000006A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000F.00000002.2877662329.0000000000833000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xd38:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000F.00000002.2877720615.0000000000848000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: syncUpd.exe PID: 9392	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: syncUpd.exe PID: 9392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: syncUpd.exe PID: 9392	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: f2CDTsUNlMadewChtQe3a8Da.exe PID: 10968	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Process Memory Space: VF98zhY4QVhDxJpNtAE2TU6d.exe PID: 14320	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author
15.2.syncUpd.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.syncUpd.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
15.2.syncUpd.exe.6a0e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.syncUpd.exe.6a0e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
15.3.syncUpd.exe.7b0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.3.syncUpd.exe.7b0000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
15.2.syncUpd.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.syncUpd.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
15.3.syncUpd.exe.7b0000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.3.syncUpd.exe.7b0000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
15.2.syncUpd.exe.6a0e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.syncUpd.exe.6a0e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
38.1.VF98zhY4QVhDxJpNtAE2TU6d.exe.400000.0.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
23.3.f2CDTsUNlMadewChtQe3a8Da.exe.3690000.6.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\3SqWYf8qFi.exe, ParentImage: C:\Users\user\Desktop\3SqWYf8qFi.exe, ParentProcessId: 6908, ParentProcessName: 3SqWYf8qFi.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force, ProcessId: 43952, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\3SqWYf8qFi.exe, ParentImage: C:\Users\user\Desktop\3SqWYf8qFi.exe, ParentProcessId: 6908, ParentProcessName: 3SqWYf8qFi.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force, ProcessId: 43952, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 43980, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MCYmcBRyIU8ux2QHjbZuxfqz.bat

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000F.00000003.1947105334.00000000007B0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.145/3cd2b41cbde8fc9c.php"}
Source: syncUpd.exe.9392.15.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.172.128.145/3cd2b41cbde8fc9c.php"}

Multi AV Scanner detection for submitted file

Source: 3SqWYf8qFi.exe	ReversingLabs: Detection: 18%
Source: 3SqWYf8qFi.exe	Virustotal: Detection: 25%			Perma Link

Yara detected Glupteba

Source: Yara match	File source: 38.1.VF98zhY4QVhDxJpNtAE2TU6d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.f2CDTsUNlMadewChtQe3a8Da.exe.3690000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000001.2270329448.0000000000843000.00000040.00000001.01000000.0000002A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f2CDTsUNlMadewChtQe3a8Da.exe PID: 10968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VF98zhY4QVhDxJpNtAE2TU6d.exe PID: 14320, type: MEMORYSTR

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\DG5NfvChXpdFrpWmBrnRWaQb.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\9pxDWajsJYwYwL1brTzHEdek.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\9HGEbLH7EssqmLwFcrlZYSWT.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\5QpyioUXq8ASWQahMvzU4ahz.exe	Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: @@@@<@@@
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/\|
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: %s\%V/yVs
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: %s\*.
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: }567y9n/S
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: ntTekeny
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: ging
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: PassMord0
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: J@@@`z`@J@@@J@@@
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXY
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: 456753+/---- '
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: qRslaZ9Iw\|
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: }67b)>4`,LXZu2L6qd
Source: 15.2.syncUpd.exe.400000.0.raw.unpack	String decryptor: login:

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	15_2_00409540
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	15_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	15_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	15_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	15_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B5807 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	15_2_006B5807
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006AC1F7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	15_2_006AC1F7
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006A6E77 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	15_2_006A6E77
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006A9707 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	15_2_006A9707
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006A97A7 CryptUnprotectData,LocalAlloc,LocalFree,	15_2_006A97A7

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 38.1.VF98zhY4QVhDxJpNtAE2TU6d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.f2CDTsUNlMadewChtQe3a8Da.exe.3690000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000001.2270329448.0000000000843000.00000040.00000001.01000000.0000002A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f2CDTsUNlMadewChtQe3a8Da.exe PID: 10968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VF98zhY4QVhDxJpNtAE2TU6d.exe PID: 14320, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Unpacked PE file: 15.2.syncUpd.exe.400000.0.unpack

Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312120432506.log
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312120451640.log
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312120439871.log
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312120440744.log
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312120500215.log
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312120451637.log

Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: 3SqWYf8qFi.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Loader.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.00000000001A1000.00000040.00000001.01000000.0000001A.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001A1000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CA1000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.00000000001F1000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000091000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.0000000000021000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.00000000001F1000.00000040.00000001.01000000.00000029.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: `K_lib.dll.pdb@+ source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000000.1862298101.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000000.1946950834.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000000.1943633581.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000001C.00000000.1976024041.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000000.1948656923.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000000.2012097688.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000000.2054392398.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000000.2058242868.0000000000457000.00000080.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000000.2064487479.00000000002F7000.00000080.00000001.01000000.00000028.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 00000028.00000000.2058335131.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000000.2084551332.0000000000287000.00000080.00000001.01000000.0000002C.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003F08000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .exe.pdb source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000000.1862298101.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000000.1946950834.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000000.1943633581.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000001C.00000000.1976024041.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000000.1948656923.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000000.2012097688.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000000.2054392398.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000000.2058242868.0000000000457000.00000080.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000000.2064487479.00000000002F7000.00000080.00000001.01000000.00000028.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 00000028.00000000.2058335131.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000000.2084551332.0000000000287000.00000080.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000000.2090220336.0000000000457000.00000080.00000001.01000000.00000029.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb@+ source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: `K_lib.dll.pdb source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000000.1862298101.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000000.1946950834.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000000.1943633581.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000001C.00000000.1976024041.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000000.1948656923.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000000.2012097688.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000000.2054392398.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000000.2058242868.0000000000457000.00000080.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000000.2064487479.00000000002F7000.00000080.00000001.01000000.00000028.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 00000028.00000000.2058335131.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000000.2084551332.0000000000287000.00000080.00000001.01000000.0000002C.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb.dbg source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003F08000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .exe.pdb@ source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000000.1862298101.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000000.1946950834.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000000.1943633581.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000001C.00000000.1976024041.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000000.1948656923.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000000.2012097688.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000000.2054392398.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000000.2058242868.0000000000457000.00000080.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000000.2064487479.00000000002F7000.00000080.00000001.01000000.00000028.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 00000028.00000000.2058335131.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000000.2084551332.0000000000287000.00000080.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000000.2090220336.0000000000457000.00000080.00000001.01000000.00000029.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.00000000001A1000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000CA1000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.00000000001A1000.00000040.00000001.01000000.0000001A.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001A1000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CA1000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.00000000001F1000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000091000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.0000000000021000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.00000000001F1000.00000040.00000001.01000000.00000029.sdmp
Source:	Binary string: dbghelp.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00408123 FindFirstFileA,FindClose,	10_2_00408123
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004085B8 DeleteFileA,DeleteFileA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	10_2_004085B8
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_0040342B FindFirstFileA,	10_2_0040342B
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	15_2_00412570
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	15_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	15_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	15_2_00411650
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	15_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	15_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	15_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	15_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	15_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006AB877 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	15_2_006AB877
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B2457 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	15_2_006B2457
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006A1827 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	15_2_006A1827
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006AD427 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	15_2_006AD427
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B18B7 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	15_2_006B18B7
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B1DE7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	15_2_006B1DE7
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006ADDC7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	15_2_006ADDC7
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B27D7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	15_2_006B27D7
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006AD7A7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	15_2_006AD7A7
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001CCF22 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	31_1_001CCF22

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.172.128.145/3cd2b41cbde8fc9c.php
Source: Malware configuration extractor	URLs: http://185.172.128.145/3cd2b41cbde8fc9c.php

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: IvU2uyNuWFigEygNV6rctFCx.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: yyOg8vFUEf8ewje7ePyYaYrp.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: k24uGEMvDOJxGSYIEJfkvAv5.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: jzqvqBGkG9ji22i8AoGkLtvR.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: CaOK3iO8OQAwsgQeckh3C4UP.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: wGwvjr8JuoYAqhoeP1STOomL.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: X0QE4YfIdkFIaFg73EESBmNY.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 9er3Js7GDifxgqZh2XipvtXh.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: OrUhyJcu1NvcVz9aYKgQaEHF.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: yyIn2S9KkOFmc5VIOG5URAcM.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: ThBPJoGxW6s6xOvtetaJLwi2.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: oRNRkRJgpfntnnUy3280Q2gz.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: NmDs1HYwuXH0hryD0mdBt3jX.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: UT13zjeHVdOFi7IHMIp0XqHQ.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: eWykOtAnMlV1bwkA64D3jk1r.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: ZeGipmT3eHYuvmbIxgXMhYeA.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: yuOzOMiGu18r6OI15UqZiVhD.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: g74FLtS6pxPabgJh1GOJP0y9.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: WBuKGU5qJ5VUXxoLOGiXoBkH.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: YTPWaMfX30OWGAa0N4zQELWE.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: WIPfhQxM6KJXx251iZNwCqDU.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: orrmvmRrWiQUvvR2gvxmt2Uq.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: IVPQ2alvXAGOa4ZbvjP04aTV.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: TdtQ1FE4bYO5ogxoTGdiEN38.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: wkhy7uRGkuNSmBiMfg2ujY77.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: sZTgVuBgO0l3CMzVYan4pxrE.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: qLwqLSV4rPxepI9a27kf3QoZ.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: J5gykLd70qOkxMaAyCwBf3AO.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: fiUeZNNCTIS5H2aPexzpE5Lz.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: n9Mh8v3pnnImlBJy2SUqnwt7.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: yk5Kg8CP5R0lBkwzd8NmvR55.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: k61IyshjXf2xgCwUvOFWwmgI.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: CasE9Xp1QOtkW4E3aVj16cmV.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 87JPMSplrYgzi5Cttm3Z375k.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: Ci70jxmBCikoxRrlulJIEQH3.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: uTpnhMoQAbjpswVVMilQAog8.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: JmFHdFFXnf32rCkwI8iKN74G.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 6EttYMEl0lv0TgoioCDqPARX.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 6FilrATN3dQE8srgx4AKUMVc.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: UKcOeyzFWKgEp3jiLlc53JId.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: khZWbExKB8w1JkxRWheAWkKQ.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: ICXg2Ke2vnpuobif1V7ZIlR7.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: IC4DTPQmGTctezS5guL9vFLJ.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 3rV9RY4D0vXRAkg7JT32cmCD.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: bbLIw48fKM1lzSnI9fseLQ0z.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: ma5ZV2wEknznzPeuTeaX9Fk3.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: J0L5GIP8nWdOG64Uj1tuCr4I.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: TmyU19puPszO5dD6QaXXYS9j.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: P52PQNhb6DjA6yqnfJVJRvJc.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 1IiLAoyBh4YnTxVttC3glecg.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: Ti2wvx1Jt0MWHlDpZMMIhhND.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 89IAnuHgvZ52kCx57pWfMJyj.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: VbjnVPoWpC8ngAejNWQ8DLBN.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: K3a3RLkBmOAUgzYQ2MxzfB6S.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: kIkH03mHJncFYDqHqXdphzO5.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: Sp4RC4Fzn9R3nxCm7XaceyVC.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: PHBccilKfK9jHQUPwgnTj8b3.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: qISpsWpv4oIvhES3MTpCAdcJ.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 0rPqVWXk4L1q7vaDqSSAYuOV.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 2mVrLbuGc4HvqI1vBpAy5Z7r.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 2ut031I6nOWGwcANYtiL1o1J.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 0MO04SVirwqcj6WPf5Zv7PoT.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: owaM0vzN2jKxgkVfs4bImjfe.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: 0iUkmKUli4rxdTjqlhfb3STv.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: ka3JrCFlTPYjnvR6dwKLC1vl.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: oXoLzyLcYgk57zCvqPsFCNIg.exe.4.dr

Found Tor onion address

Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2

Source: unknown

Network traffic detected: IP country count 30

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Code function: 15_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

15_2_00404C70

Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/legal/terms; and equals www.facebook.com (Facebook)
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: hatsapp.com/legal; and c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/l equals www.facebook.com (Facebook)

Source: syncUpd.exe, 0000000F.00000002.2877720615.0000000000848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/15f649199f40275b/freebl3.dll
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/15f649199f40275b/mozglue.dll
Source: syncUpd.exe, 0000000F.00000002.2877720615.0000000000886000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/15f649199f40275b/msvcp140.dll
Source: syncUpd.exe, 0000000F.00000002.2877720615.0000000000886000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/15f649199f40275b/msvcp140.dll7
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/15f649199f40275b/nss3.dll
Source: syncUpd.exe, 0000000F.00000002.2877720615.0000000000886000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/15f649199f40275b/softokn3.dll
Source: syncUpd.exe, 0000000F.00000002.2877720615.0000000000886000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/15f649199f40275b/softokn3.dlld
Source: syncUpd.exe, 0000000F.00000003.2281435291.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/15f649199f40275b/sqlite3.dll
Source: syncUpd.exe, 0000000F.00000003.2281435291.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/15f649199f40275b/sqlite3.dlllLx
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/15f649199f40275b/vcruntime140.dll
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/15f649199f40275b/vcruntime140.dllo
Source: syncUpd.exe, 0000000F.00000003.2281435291.000000000089F000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 0000000F.00000002.2877720615.0000000000848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.php
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000447000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.php0d62641a64885f84d53bf1676aabn
Source: syncUpd.exe, 0000000F.00000003.2281435291.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145/3cd2b41cbde8fc9c.phpnI
Source: syncUpd.exe, 0000000F.00000002.2877720615.0000000000848000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.145P
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/
Source: syncUpd.exe, 0000000F.00000002.3205646166.0000000026F5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/Ledger-Live.exe
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000447000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://185.172.128.187/Ledger-Live.exe00
Source: syncUpd.exe, 0000000F.00000002.3205646166.0000000026F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/Ledger-Live.exe3
Source: syncUpd.exe, 0000000F.00000002.3205646166.0000000026F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/Ledger-Live.exeT
Source: syncUpd.exe, 0000000F.00000002.3205646166.0000000026F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/Ledger-Live.exe_
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000447000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://185.172.128.187/Ledger-Live.exeposition:
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000003.1920722672.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/T
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/ping.php?substr=two
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/ping.php?substr=twoO
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/ping.php?substr=twoP
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/ping.php?substr=twoh
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000003.1920722672.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/ping.php?substr=twop
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/ping.php?substr=twot
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/ping.php?substr=twox
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.187/v
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.2057372935.0000000002E3D000.00000004.00000020.00020000.00000000.sdmp, vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=two&s=ab
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.2057372935.0000000002E3D000.00000004.00000020.00020000.00000000.sdmp, vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.000000000067E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=two&s=ab/SILENT/TOSTACK/NOCANCELgethttp://185.172.128.187/
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=two&s=ab0
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.90/cpa/ping.php?substr=two&s=abP
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: http://autoupdate-staging.services.ams.osa/
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	String found in binary or memory: http://invalidlog.txtlookup
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://localhost:3001api/prefs/?product=$1&version=$2..
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000000.1843284935.000000000040B000.00000002.00000001.01000000.0000000A.sdmp, 3iX1J0J7PXcnIfnf5KGl849r.exe, 00000011.00000000.1859837097.000000000040B000.00000002.00000001.01000000.0000000B.sdmp, H1Mms5Gptfho9VyHt62sHSNN.exe, 00000014.00000000.1948458807.000000000040B000.00000002.00000001.01000000.0000001B.sdmp, VWhRbFHRqImCr0UdFf6QtJNt.exe, 00000016.00000000.1943621838.000000000040B000.00000002.00000001.01000000.00000014.sdmp, mxmsi31bOIKdEb9VIHBYJshQ.exe, 00000021.00000000.2047728912.000000000040B000.00000002.00000001.01000000.00000026.sdmp, jLh2jXNiKaCQ93A91IuQMDiC.exe, 00000025.00000000.2064292451.000000000040B000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000000.1843284935.000000000040B000.00000002.00000001.01000000.0000000A.sdmp, 3iX1J0J7PXcnIfnf5KGl849r.exe, 00000011.00000000.1859837097.000000000040B000.00000002.00000001.01000000.0000000B.sdmp, H1Mms5Gptfho9VyHt62sHSNN.exe, 00000014.00000000.1948458807.000000000040B000.00000002.00000001.01000000.0000001B.sdmp, VWhRbFHRqImCr0UdFf6QtJNt.exe, 00000016.00000000.1943621838.000000000040B000.00000002.00000001.01000000.00000014.sdmp, mxmsi31bOIKdEb9VIHBYJshQ.exe, 00000021.00000000.2047728912.000000000040B000.00000002.00000001.01000000.00000026.sdmp, jLh2jXNiKaCQ93A91IuQMDiC.exe, 00000025.00000000.2064292451.000000000040B000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2045088050.0000000003E1D000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2286793548.0000000003429000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2104253449.00000000038EC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2343905294.00000000037B2000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2287293767.000000000335B000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: http://www.opera.com0
Source: syncUpd.exe, 0000000F.00000002.3094793528.000000001AD84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://addons.opera.com/en/extensions/details/dify-cashback/
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2416720122.0000000045A40000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4fC:
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363415183.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2387931999.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000F09000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000F09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/(
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2387931999.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/1?
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/9F
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410615687.0000000000E48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/M
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/SG
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/UK
Source: zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/W
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/_Event_
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363415183.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/b
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2422974806.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2409772902.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/geolocation/
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442550747.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/geolocation/4
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2422974806.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2409772902.0000000000B74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/geolocation/?
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/https://autoupdate.geo.opera.com/geolocation/OperaDesktophttps://cr
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/i
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2396767707.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410697635.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410615687.0000000000E48000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2406947090.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2388066950.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2443889635.000000003F640000.00000004.00001000.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2444110885.000000003F69C000.00000004.00001000.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442550747.000000000160A000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442550747.00000000015B8000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2884161745.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x648b
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64Cb
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64E
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2444110885.000000003F69C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64e?i
Source: zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2884161745.00000000010A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64uh#
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2422974806.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2409772902.0000000000B74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64y
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2396767707.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410697635.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2406947090.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2388066950.0000000000EAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64z
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2387931999.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/y
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	String found in binary or memory: https://blockchain.infoindex
Source: syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2506090579.0000000001430000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2499037489.0000000001280000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2521237730.000000004CA5C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashstats-collector.opera.com/collector/submit
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2456981913.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2458031390.000000005C814000.00000004.00001000.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2514125929.000000004CA14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashstats-collector.opera.com/collector/submit--annotation=channel=Stable--annotation=plat=
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2515439121.000000004CA24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashstats-collector.opera.com/collector/submit0x2e4
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2458048121.000000005C824000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashstats-collector.opera.com/collector/submit0x2e8
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2425494524.0000000033C24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashstats-collector.opera.com/collector/submit0x2f4
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2425494524.0000000033C24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashstats-collector.opera.com/collector/submit3
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2425980036.0000000033CB0000.00000004.00001000.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2458331076.000000005C8B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashstats-collector.opera.com/collector/submitC:
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2515439121.000000004CA24000.00000004.00001000.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2521237730.000000004CA5C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crashstats-collector.opera.com/collector/submitL
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2387931999.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F70000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2387931322.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2395100407.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2407930928.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/1
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/3
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.0000000001666000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/8
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/?
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/A
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/DllFuncName
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/E
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2387931999.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/P(s
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/Security
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2407930928.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2404639801.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414780293.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/U
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363415183.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/V
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/W
Source: zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/X
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/b
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/exeW
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/k
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/l
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2387931999.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/o
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/r-sub.osp.opera.software/
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/r-sub.osp.opera.software/Dy
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.0000000001666000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/s#
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/ssContentHintDecodeExDllFuncNamew
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/t
Source: zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/b
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2409772902.0000000000B74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary#
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442550747.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary/
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442550747.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary/B
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary2rhi
Source: zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388143044.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary3
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary6
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary7
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363415183.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary8c
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryA
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryCa
Source: zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryF
Source: zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryI
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryMt
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410615687.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryU
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryUS)
Source: zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryX
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2387931999.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binarya
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binarye
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423730656.00000000034C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryera.software
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryera.software_
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410615687.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryera.softwarest
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryetmsg.dll.mui
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryf
Source: zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388143044.0000000001110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryg
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryim9;
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binarym
Source: zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryn
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryncO
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binarynt
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2387931999.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000F11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryo
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryur
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2422974806.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2409772902.0000000000B74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryv
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryy
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.0000000001666000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/y
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/
Source: zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/-sub.osp.opera.software/y
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2361773425.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2444214649.000000003F6E0000.00000004.00001000.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2379241385.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2410307403.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2430979117.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2393171018.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2435436063.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442781384.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2436840383.000000003F734000.00000004.00001000.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2372910856.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2417196433.0000000045A8C000.00000004.00001000.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2408410558.0000000045B34000.00000004.00001000.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2425396629.00000000380E0000.00000004.00001000.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363345584.0000000000C32000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363415183.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363415183.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=10
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=19F
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2417221880.0000000045A9C000.00000004.00001000.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2417196433.0000000045A8C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1E
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000164C000.00000004.00000020.00020000.00000000.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2820867767.0000000029B34000.00000004.00001000.00020000.00000000.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2356908534.0000000001653000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2407180517.000000002E134000.00000004.00001000.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2412352500.000000002E0E0000.00000004.00001000.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2378402420.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2444214649.000000003F6E0000.00000004.00001000.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2379241385.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2410307403.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2430979117.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2393171018.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2435436063.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442781384.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2436840383.000000003F734000.00000004.00001000.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2368162064.0000000001118000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2884161745.00000000010A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65199&autoupdate=1&ni=1&stream=stable&utm_campaign=767&u
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download3.operacdn.com/
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download3.operacdn.com/$
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2387931322.0000000000FB2000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414738796.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2404639801.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2388133805.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download3.operacdn.com/ftp/pub/opera/desktop/108.0.5067.24/win/Opera_108.0.5067.24_Autoupdat
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download3.operacdn.com/zi
Source: syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://gamemaker.io
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://gamemaker.io)
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://gamemaker.io/en/education.
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://gamemaker.io/en/get.
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://help.instagram.com/581066165581870;
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://help.opera.com/latest/
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://legal.opera.com/eula/computers
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://legal.opera.com/privacy
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://legal.opera.com/privacy.
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://legal.opera.com/terms
Source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://legal.opera.com/terms.
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://opera.com/privacy
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://policies.google.com/terms;
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://redir.opera.com/uninstallsurvey/
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2416720122.0000000045A40000.00000004.00001000.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2408410558.0000000045B34000.00000004.00001000.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2425396629.00000000380E0000.00000004.00001000.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363345584.0000000000C32000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2389660858.0000000038134000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://redir.opera.com/www.opera.com/firstrun/?utm_campaign=767&utm_medium=apb&utm_source=mkt&http_
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://sourcecode.opera.com
Source: syncUpd.exe, 0000000F.00000003.2460020892.0000000027127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: syncUpd.exe, 0000000F.00000003.2460020892.0000000027127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000447000.00000040.00000001.01000000.0000000D.sdmp, syncUpd.exe, 0000000F.00000003.2110774330.0000000020D0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000447000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: syncUpd.exe, 0000000F.00000003.2110774330.0000000020D0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://telegram.org/tos/
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://twitter.com/en/tos;
Source: syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000549000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000549000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.mozilla.org/about/e
Source: syncUpd.exe, 0000000F.00000003.2460020892.0000000027127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000447000.00000040.00000001.01000000.0000000D.sdmp, syncUpd.exe, 0000000F.00000002.2876636083.0000000000549000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000549000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/VxHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0
Source: syncUpd.exe, 0000000F.00000003.2460020892.0000000027127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000447000.00000040.00000001.01000000.0000000D.sdmp, syncUpd.exe, 0000000F.00000002.2876636083.0000000000549000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: syncUpd.exe, 0000000F.00000003.2460020892.0000000027127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000549000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000447000.00000040.00000001.01000000.0000000D.sdmp, syncUpd.exe, 0000000F.00000002.2876636083.0000000000549000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: syncUpd.exe, 0000000F.00000003.2460020892.0000000027127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: syncUpd.exe, 0000000F.00000002.2876636083.0000000000549000.00000040.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://www.opera.com
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://www.opera.com..
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://www.opera.com/
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://www.opera.com/download/
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	String found in binary or memory: https://www.opera.com/privacy
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	String found in binary or memory: https://www.whatsapp.com/legal;

Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe

Code function: 10_2_0040710B GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

10_2_0040710B

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 38.1.VF98zhY4QVhDxJpNtAE2TU6d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.f2CDTsUNlMadewChtQe3a8Da.exe.3690000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000001.2270329448.0000000000843000.00000040.00000001.01000000.0000002A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f2CDTsUNlMadewChtQe3a8Da.exe PID: 10968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VF98zhY4QVhDxJpNtAE2TU6d.exe PID: 14320, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000F.00000002.2877180819.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000F.00000002.2877662329.0000000000833000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe

Code function: 10_2_00404375 EntryPoint,SetErrorMode,GetVersion,lstrlenA,InitCommonControls,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,DeleteFileA,DeleteFileA,GetWindowsDirectoryA,DeleteFileA,DeleteFileA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,DeleteFileA,DeleteFileA,OleUninitialize,GetCurrentProcess,ExitWindowsEx,ExitProcess,

10_2_00404375

Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001A2C70	31_1_001A2C70
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001A25D0	31_1_001A25D0
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001A16B0	31_1_001A16B0
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001BA230	31_1_001BA230
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001D6A72	31_1_001D6A72
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001BABB4	31_1_001BABB4
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001B33F0	31_1_001B33F0
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001B7419	31_1_001B7419
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001B8454	31_1_001B8454
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001D2492	31_1_001D2492
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001B6788	31_1_001B6788

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: String function: 001E5DF0 appears 40 times
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: String function: 001B1E30 appears 43 times

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6908 -s 56832

Source: 3SqWYf8qFi.exe

Static PE information: invalid certificate

Source: IGVy70B2MbWqfodclXqYMOZv.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: UI7LDXaAp2RaeFVHf9g6LwB6.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: LulQEAYQpS9lk1qZLpImyHK7.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 9pxDWajsJYwYwL1brTzHEdek.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 4F7ctSfTyUiwf5E5Jj8ISwxp.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: tlmCvYWISSwVWnUxg9w0yKg0.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: rSYsgRim3M5YCzGnR78v4Mm1.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: LiMUMFNfqgHoXxfy9KUypTg9.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: MWbupbq1lCIXYvylS8lGgBPD.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: LKiziaTKHXhXmsyq7iSl6Znq.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: guekS5iP2Ex1XPBodoRkDEP3.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: nYogaRAZxPLuvJnrVaN7fjAe.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: zcKoLXDqvdAUIOoGZ6SAU0N3.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: hoIRHCmbfleOimlEQBUf6Nsu.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: Slo3nPYDYKdAC0gOANfeI09y.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: Ktf4CHbIF92R4VV827YiDPbm.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: phZoEhmPHJEnryk70uKpl9zQ.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XIBzivlqsIPRfzklN9g3VnQx.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: EGZvqStEuOZgeHhVMxPhyZjZ.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: lpOXM8pg9J4cVKMm0aJJw34A.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: tkxNqRBruO0TCZ7E4aLz1RHH.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 7yvJjVKbdq1WHJrfxFmH3872.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: lLVPG0Pkhk3MeRMVuEfaKb2V.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: s2A2nVFap842S1hTJXF9l5R8.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: SN1mrhiBAGt5YdpSiR94ouLj.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: XgRMsEcdNLhAV5ZMS6q0eNdc.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: nvMOfQgAbNYiBrdqNEHby9rc.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: aUJQGrpjjWYYDUiVfYPZvQ7q.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: b1uZ67lknMP13RedpY9EzGAj.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: w9PVG5CKOJz2PxNYSzlQtvrS.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: UIlVvmdU1KS1YgdCPOj7XPRB.exe.4.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: 3SqWYf8qFi.exe

Static PE information: No import functions for PE file found

Source: 3SqWYf8qFi.exe, 00000000.00000000.1621550370.0000028B2B932000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameNewWorldOrderIsComingSoon.exeT vs 3SqWYf8qFi.exe

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: propsys.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: wldp.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: wininet.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: netutils.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: winmm.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: winsta.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: sxs.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: amsi.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: secur32.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: wininet.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: propsys.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: winmm.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: wldp.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: netutils.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: schannel.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: winmm.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: winsta.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: sxs.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: amsi.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: winmm.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: winsta.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: sxs.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: amsi.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: winmm.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: winsta.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: sxs.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: amsi.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: propsys.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: wldp.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: secur32.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: wininet.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: propsys.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: winmm.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: wldp.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: dpapi.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: netutils.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: schannel.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: propsys.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: wldp.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: colorui.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: mscms.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: compstui.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: inetres.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: propsys.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: oleacc.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: shfolder.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: wldp.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: winmm.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: winsta.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: sxs.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: amsi.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Section loaded: winmm.dll
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Section loaded: winsta.dll
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Section loaded: wbemcomn.dll

Source: 0000000F.00000002.2877180819.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000F.00000002.2877662329.0000000000833000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@132/420@0/100

Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe

Code function: 31_1_001A16B0 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,FindResourceW,LoadResource,SizeofResource,LockResource,FreeLibrary,GetLastError,GetLastError,FreeLibrary,DeleteFileW,DeleteFileW,GetLastError,GetProcAddress,FreeLibrary,DeleteFileW,MessageBoxW,FreeLibrary,FreeLibrary,DeleteFileW,FreeLibrary,GetLastError,MessageBoxW,FormatMessageA,

31_1_001A16B0

Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe

Code function: 10_2_00405C44 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,GetDiskFreeSpaceA,MulDiv,

10_2_00405C44

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Code function: 15_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

15_2_00415D00

Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe

Code function: 10_2_00402988 CoCreateInstance,MultiByteToWideChar,

10_2_00402988

Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe

31_1_001A16B0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:14804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3664:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6908

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pexq1oom.qsz.ps1

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "

Source: 3SqWYf8qFi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: 3SqWYf8qFi.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: syncUpd.exe, 0000000F.00000002.3094793528.000000001AD84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: syncUpd.exe, 0000000F.00000002.3094793528.000000001AD84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: syncUpd.exe, 0000000F.00000002.3094793528.000000001AD84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: syncUpd.exe, 0000000F.00000002.3094793528.000000001AD84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: syncUpd.exe, 0000000F.00000002.3094793528.000000001AD84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: syncUpd.exe, 0000000F.00000002.3094793528.000000001AD84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: syncUpd.exe, 0000000F.00000002.3094793528.000000001AD84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: syncUpd.exe, 0000000F.00000003.2280398421.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: syncUpd.exe, 0000000F.00000002.3094793528.000000001AD84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: syncUpd.exe, 0000000F.00000002.3094793528.000000001AD84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: 3SqWYf8qFi.exe	ReversingLabs: Detection: 18%
Source: 3SqWYf8qFi.exe	Virustotal: Detection: 25%

Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: opera-startpage-special
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: run-at-startup
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: replace-addons-extensions-with-gx-store-substitutes
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: run-at-startup-default
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: video-on-start-page
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: yat-emoji-addresses
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: installer-bypass-launcher
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Local\%ls/Installer/UI_lock
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Global\Opera/Installer/
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: When enabled, https://addons.opera.com/en/extensions/details/dify-cashback/ extension will be added to the user's extensions
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: OperaInstaller/InstallationInterrupted
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: enable-installer-stats
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: launchopera-on-os-start
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: master-copy-installation
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: show-eula-window-on-start
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: test-pre-installed-extensions-dir
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: post-elevated-install-tasks
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: all-installer-experiments
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: ran-launcher
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: opera-startpage-special
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: replace-addons-extensions-with-gx-store-substitutes
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: run-at-startup
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: run-at-startup-default
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: video-on-start-page
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: yat-emoji-addresses
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: Local\%ls/Installer/UI_lock
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: installer-bypass-launcher
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: Global\Opera/Installer/
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: When enabled, https://addons.opera.com/en/extensions/details/dify-cashback/ extension will be added to the user's extensions
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: OperaInstaller/InstallationInterrupted
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: enable-installer-stats
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: test-pre-installed-extensions-dir
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: launchopera-on-os-start
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: master-copy-installation
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: show-eula-window-on-start
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: post-elevated-install-tasks
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: all-installer-experiments
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: ran-launcher
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: &Re-install
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Global\Opera/Installer/
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Installatie&pad#Installeer voor alle gebruikers in:%Installeer voor huidige gebruiker in: Standalone-installatie (USB) in:
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: OperaInstaller/InstallationInterrupted
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: enable-installer-stats
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: launchopera-on-os-start
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: master-copy-installation
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: show-eula-window-on-start
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: run-at-startup
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: test-pre-installed-extensions-dir
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: post-elevated-install-tasks
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: gendQ$1 kann nicht zustzlich zu einer bestehenden $2-Installation installiert werden. Laufwerk $1 ($2 MB erforderlich)-Wird herun
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Path sa &pag-install#I-install para sa lahat ng user sa:'I-install para sa kasalukuyang user sa:&Stand-alone na pag-i-install (USB
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: all-installer-experiments
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: &Baguhin!Di-balido ang path sa pag-install$Gawing &default na browser ang Opera>&Mag-import ng mga bookmark at data mula sa defaul
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Een andere instantie van het Opera-installatieprogramma werkt al in deze map. Je kan de installatie annuleren, of over een paar mi
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Ini-install
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: +Ini-install para sa kasalukuyang user ($1)
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: y mawawala. Gusto mo bang ipagpatuloy?bHindi natapos sa Opera ang pag-install. Sigurado ka bang hindi mo na ipagpatuloy ang instal
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Ini-install ang Opera na may mga settin ng shortcut at rehistro para sa lahat ng user na nasa system. Kinakailangan ng mga prebile
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Ini-install lamang ang mga setting ng shortcut at rehistro para sa kaslukuyang user. Hindi kinakailangan ng mga prebilehiyo ng sys
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Ini-install ang lahat sa iisang folder, lokal man o sa panlabas na media, tulad ng USB drive, nang hindi ginagalaw ang rehistro o
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Nabigong i-download ang Opera.(Hindi nagawa ang pag-extract ng package.;Nagkaroon ng error habang sinusubukang i-install ang Opera
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: May isa pang pagkakataon ng installer ng Opera ang gumagawa na sa folder na ito. Alinman ay maaari mong kanselahin ang pag-install
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Hindi malikha ang folder na $1.JWalang sapat na mga privilege para sa pag-install sa ninanais na lokasyon.@Nabigong makakuha ng ad
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Hindi ma-install ang Opera.exe. Naka-lock ang ilang file sa folder ng pag-install. I-restart ang computer o i-unblock ang mga file
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: XHindi na-reinstall ang Opera.exe. Siguraduhing hindi gumagana ang Opera at subukan ulit.QHindi ma-update ang Opera. Siguraduhing
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: pangunahin mong dahilan sa pag-uninstall ng Opera?ZWala namang problema. Magre-reinstall o mag-a-update lang ako sa isang mas bag
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Piliin ang path ng pag-install
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: s Breakpad server URL, only if uploads are enabled for the database --help display this help and exit --version output version information and exit
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: s Breakpad server URL, only if uploads are enabled for the database --help display this help and exit --version output version information and exit
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: opera-startpage-special
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: replace-addons-extensions-with-gx-store-substitutes
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: run-at-startup-default
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: video-on-start-page
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: yat-emoji-addresses
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: installer-bypass-launcher
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Local\%ls/Installer/UI_lock
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: When enabled, https://addons.opera.com/en/extensions/details/dify-cashback/ extension will be added to the user's extensions
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: partition_alloc/address_space
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: ran-launcher
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe	String found in binary or memory: Opera-installeringsprogrammInstallationsfilen ser ud til at vre beskadiget. G til <a href="tos">www.opera.com</a>, og hent Opera
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: opera-startpage-special
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: replace-addons-extensions-with-gx-store-substitutes
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: run-at-startup
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: run-at-startup-default
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: video-on-start-page
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: yat-emoji-addresses
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: Local\%ls/Installer/UI_lock
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: installer-bypass-launcher
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: Global\Opera/Installer/
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: When enabled, https://addons.opera.com/en/extensions/details/dify-cashback/ extension will be added to the user's extensions
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: OperaInstaller/InstallationInterrupted
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: enable-installer-stats
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: test-pre-installed-extensions-dir
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: launchopera-on-os-start
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: master-copy-installation
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: show-eula-window-on-start
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: post-elevated-install-tasks
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: all-installer-experiments
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: ran-launcher
Source: Rfsq67IamA4rPpnX6LHMDFkm.exe	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: opera-startpage-special
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: run-at-startup
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: replace-addons-extensions-with-gx-store-substitutes
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: run-at-startup-default
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: video-on-start-page
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: yat-emoji-addresses
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: installer-bypass-launcher
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: Local\%ls/Installer/UI_lock
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: Global\Opera/Installer/
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: When enabled, https://addons.opera.com/en/extensions/details/dify-cashback/ extension will be added to the user's extensions
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: OperaInstaller/InstallationInterrupted
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: enable-installer-stats
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: launchopera-on-os-start
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: master-copy-installation
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: show-eula-window-on-start
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: test-pre-installed-extensions-dir
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: post-elevated-install-tasks
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: Try '%ls --help' for more information.
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: all-installer-experiments
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: ran-launcher
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f

Source: unknown	Process created: C:\Users\user\Desktop\3SqWYf8qFi.exe C:\Users\user\Desktop\3SqWYf8qFi.exe
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6908 -s 56832
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe "C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe "C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe "C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe "C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe "C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe"
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Process created: C:\Users\user\AppData\Local\Temp\syncUpd.exe C:\Users\user\AppData\Local\Temp\syncUpd.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe "C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe "C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe "C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe "C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe"
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Process created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe "C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe "C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe "C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\dZhcoTSgym1JGRiEQOUqAdeo.exe "C:\Users\user\Pictures\dZhcoTSgym1JGRiEQOUqAdeo.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\rfKusEcfqkKKVyx19jVITYlO.exe "C:\Users\user\Pictures\rfKusEcfqkKKVyx19jVITYlO.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe "C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe" --silent --allusers=0
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Process created: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4b21c8,0x6c4b21d4,0x6c4b21e0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe "C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe" --silent --allusers=0
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Process created: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d4,0x300,0x6b8021c8,0x6b8021d4,0x6b8021e0
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	Process created: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x304,0x6bd721c8,0x6bd721d4,0x6bd721e0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\mxmsi31bOIKdEb9VIHBYJshQ.exe "C:\Users\user\Pictures\mxmsi31bOIKdEb9VIHBYJshQ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe "C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe "C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe" --silent --allusers=0
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\jLh2jXNiKaCQ93A91IuQMDiC.exe "C:\Users\user\Pictures\jLh2jXNiKaCQ93A91IuQMDiC.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\VF98zhY4QVhDxJpNtAE2TU6d.exe "C:\Users\user\Pictures\VF98zhY4QVhDxJpNtAE2TU6d.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	Process created: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6ae821c8,0x6ae821d4,0x6ae821e0
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Process created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\rMuSSyE2z14xNxfrVLVv1kvs.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\rMuSSyE2z14xNxfrVLVv1kvs.exe" --version
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	Process created: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a9c21c8,0x6a9c21d4,0x6a9c21e0
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	Process created: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a5021c8,0x6a5021d4,0x6a5021e0
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe "C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe "C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe "C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe "C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe "C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe "C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe "C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe "C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe "C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe "C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe "C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe "C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\dZhcoTSgym1JGRiEQOUqAdeo.exe "C:\Users\user\Pictures\dZhcoTSgym1JGRiEQOUqAdeo.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\rfKusEcfqkKKVyx19jVITYlO.exe "C:\Users\user\Pictures\rfKusEcfqkKKVyx19jVITYlO.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe "C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe "C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\mxmsi31bOIKdEb9VIHBYJshQ.exe "C:\Users\user\Pictures\mxmsi31bOIKdEb9VIHBYJshQ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe "C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe "C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\jLh2jXNiKaCQ93A91IuQMDiC.exe "C:\Users\user\Pictures\jLh2jXNiKaCQ93A91IuQMDiC.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\VF98zhY4QVhDxJpNtAE2TU6d.exe "C:\Users\user\Pictures\VF98zhY4QVhDxJpNtAE2TU6d.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Process created: C:\Users\user\AppData\Local\Temp\syncUpd.exe C:\Users\user\AppData\Local\Temp\syncUpd.exe
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Process created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Process created: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4b21c8,0x6c4b21d4,0x6c4b21e0
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Process created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\rMuSSyE2z14xNxfrVLVv1kvs.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\rMuSSyE2z14xNxfrVLVv1kvs.exe" --version
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Process created: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d4,0x300,0x6b8021c8,0x6b8021d4,0x6b8021e0
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	Process created: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x304,0x6bd721c8,0x6bd721d4,0x6bd721e0
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	Process created: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6ae821c8,0x6ae821d4,0x6ae821e0
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	Process created: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a9c21c8,0x6a9c21d4,0x6a9c21e0
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	Process created: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a5021c8,0x6a5021d4,0x6a5021e0
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe

Window found: window name: TButton

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 3SqWYf8qFi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: 3SqWYf8qFi.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 3SqWYf8qFi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Loader.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.00000000001A1000.00000040.00000001.01000000.0000001A.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001A1000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CA1000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.00000000001F1000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000091000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.0000000000021000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.00000000001F1000.00000040.00000001.01000000.00000029.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: `K_lib.dll.pdb@+ source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000000.1862298101.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000000.1946950834.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000000.1943633581.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000001C.00000000.1976024041.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000000.1948656923.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000000.2012097688.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000000.2054392398.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000000.2058242868.0000000000457000.00000080.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000000.2064487479.00000000002F7000.00000080.00000001.01000000.00000028.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 00000028.00000000.2058335131.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000000.2084551332.0000000000287000.00000080.00000001.01000000.0000002C.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003F08000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .exe.pdb source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000000.1862298101.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000000.1946950834.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000000.1943633581.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000001C.00000000.1976024041.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000000.1948656923.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000000.2012097688.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000000.2054392398.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000000.2058242868.0000000000457000.00000080.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000000.2064487479.00000000002F7000.00000080.00000001.01000000.00000028.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 00000028.00000000.2058335131.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000000.2084551332.0000000000287000.00000080.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000000.2090220336.0000000000457000.00000080.00000001.01000000.00000029.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb@+ source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: `K_lib.dll.pdb source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000000.1862298101.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000000.1946950834.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000000.1943633581.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000001C.00000000.1976024041.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000000.1948656923.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000000.2012097688.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000000.2054392398.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000000.2058242868.0000000000457000.00000080.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000000.2064487479.00000000002F7000.00000080.00000001.01000000.00000028.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 00000028.00000000.2058335131.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000000.2084551332.0000000000287000.00000080.00000001.01000000.0000002C.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb.dbg source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003F08000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: .exe.pdb@ source: rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000000.1862298101.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000000.1946950834.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000000.1943633581.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000001C.00000000.1976024041.00000000011A7000.00000080.00000001.01000000.0000000C.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000000.1948656923.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000000.2012097688.0000000000407000.00000080.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000000.2054392398.0000000000F07000.00000080.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000000.2058242868.0000000000457000.00000080.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000000.2064487479.00000000002F7000.00000080.00000001.01000000.00000028.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 00000028.00000000.2058335131.0000000000AA7000.00000080.00000001.01000000.0000001D.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000000.2084551332.0000000000287000.00000080.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000000.2090220336.0000000000457000.00000080.00000001.01000000.00000029.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.00000000001A1000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000CA1000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.00000000001A1000.00000040.00000001.01000000.0000001A.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001A1000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CA1000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.00000000001F1000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000091000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.0000000000021000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.00000000001F1000.00000040.00000001.01000000.00000029.sdmp
Source:	Binary string: dbghelp.pdb source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Unpacked PE file: 15.2.syncUpd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Unpacked PE file: 15.2.syncUpd.exe.400000.0.unpack

Source: 3SqWYf8qFi.exe

Static PE information: 0xAF428149 [Tue Mar 6 01:47:53 2063 UTC]

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Code function: 15_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

15_2_00416240

Source: jLh2jXNiKaCQ93A91IuQMDiC.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: LKiziaTKHXhXmsyq7iSl6Znq.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: rSYsgRim3M5YCzGnR78v4Mm1.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: zcKoLXDqvdAUIOoGZ6SAU0N3.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: hoIRHCmbfleOimlEQBUf6Nsu.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: tlmCvYWISSwVWnUxg9w0yKg0.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: 4cq2SZqMHS3XYqkYi9qoDSje.exe.4.dr	Static PE information: real checksum: 0x2de4aa should be: 0x2d5f4f
Source: j1XOgROBJfvz0cRzU7rPw7NS.exe.4.dr	Static PE information: real checksum: 0x2da789 should be: 0x2e222d
Source: EGZvqStEuOZgeHhVMxPhyZjZ.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: SN1mrhiBAGt5YdpSiR94ouLj.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: leLskzRZPIglQflslvTIwLTy.exe.4.dr	Static PE information: real checksum: 0x2d9b65 should be: 0x2e1609
Source: Lp5WnTgHCMiSZVksHSRp5zyx.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: UIlVvmdU1KS1YgdCPOj7XPRB.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: C2ytbpXjpVGZQltGJ6eXiuhX.exe.4.dr	Static PE information: real checksum: 0x2e0097 should be: 0x2d7b3c
Source: Slo3nPYDYKdAC0gOANfeI09y.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: 9pxDWajsJYwYwL1brTzHEdek.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: sP3BgFXaLWMMa0a6kgrVZ5A3.exe.4.dr	Static PE information: real checksum: 0x2d9b65 should be: 0x2e1609
Source: 03VPbfdR0v0eUJbl3BY2yvWa.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: HN7tYbFl9xu8SJ0TV9kPnV6R.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: S58tmyihHBD6BmCz1ZODtpm0.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: qLEG52WWxIWvDwEETVieoeBU.exe.4.dr	Static PE information: real checksum: 0x2de329 should be: 0x2d5dce
Source: 4F7ctSfTyUiwf5E5Jj8ISwxp.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: tkxNqRBruO0TCZ7E4aLz1RHH.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: fDVyGnt4qkfC1RQX2yjdlha8.exe.4.dr	Static PE information: real checksum: 0x2d3429 should be: 0x2daecd
Source: aUJQGrpjjWYYDUiVfYPZvQ7q.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: XIBzivlqsIPRfzklN9g3VnQx.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: 7yvJjVKbdq1WHJrfxFmH3872.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: l4uKqmU2WFXWkMNLmByrfqyU.exe.4.dr	Static PE information: real checksum: 0x2d783f should be: 0x2df2e3
Source: b1uZ67lknMP13RedpY9EzGAj.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: LulQEAYQpS9lk1qZLpImyHK7.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: lLVPG0Pkhk3MeRMVuEfaKb2V.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: Ktf4CHbIF92R4VV827YiDPbm.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: UI7LDXaAp2RaeFVHf9g6LwB6.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: nvMOfQgAbNYiBrdqNEHby9rc.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: UrT5ltGRxob1yeMhM5Nnnzax.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: NUsC1LZWtdLvV2hVDgycM5e6.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: MW0Q5IkKXdDw9nrX6CojJx9n.exe.4.dr	Static PE information: real checksum: 0x2d7104 should be: 0x2deba8
Source: nrklq6P1CNvXZbzoZhiYO66H.exe.4.dr	Static PE information: real checksum: 0x2d3429 should be: 0x2daecd
Source: B8Lqzc0h0CXWQep40oCdtIvu.exe.4.dr	Static PE information: real checksum: 0x2de4aa should be: 0x2d5f4f
Source: nYogaRAZxPLuvJnrVaN7fjAe.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: lpOXM8pg9J4cVKMm0aJJw34A.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: 5pdwJpq902hXA5VnaRygPeAf.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: DOHofbJiGO0ppvf8BnLjEcOT.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: cNYL5IyksZKthNvEJoyBw8Ag.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: HFiFGl6AR63OLnORhPPDiWeA.exe.4.dr	Static PE information: real checksum: 0x2d7104 should be: 0x2deba8
Source: s2A2nVFap842S1hTJXF9l5R8.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: aFkMZIYV0H3vyPVwOnL9WjBJ.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: 0IFrK3aRWk7G6YUjUT8ew0OK.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: guekS5iP2Ex1XPBodoRkDEP3.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: MWbupbq1lCIXYvylS8lGgBPD.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: B9mSYpwKkVgW9jJSaxBMcATu.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: gC6HQHcPvsALd84vdJXhjM8b.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: jx4EXQWaWISJJqVjnXD4Dqaz.exe.4.dr	Static PE information: real checksum: 0x2d783f should be: 0x2df2e3
Source: 2xlrDVEKDyhTNLHkwA8DqN66.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe.4.dr	Static PE information: real checksum: 0x2de329 should be: 0x2d5dce
Source: LiMUMFNfqgHoXxfy9KUypTg9.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: EwzOUe6vEjttYfeygpeUfeHd.exe.4.dr	Static PE information: real checksum: 0x2e0097 should be: 0x2d7b3c
Source: IGVy70B2MbWqfodclXqYMOZv.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x42280e
Source: phZoEhmPHJEnryk70uKpl9zQ.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: w9PVG5CKOJz2PxNYSzlQtvrS.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d
Source: 06nVIZvE4iGjgzg643uXiijC.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: QRVPcUOZwKQgBVL5bWKd8sH5.exe.4.dr	Static PE information: real checksum: 0x1eaa5 should be: 0x211d62
Source: XgRMsEcdNLhAV5ZMS6q0eNdc.exe.4.dr	Static PE information: real checksum: 0x42386a should be: 0x41f73d

Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00402E4B push ebx; mov dword ptr [esp], 00413040h	10_2_00402EF6
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00401860 push eax; mov dword ptr [esp], ebx	10_2_0040192D
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00402613 push ecx; mov dword ptr [esp], ebx	10_2_00402634
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_0040183B push ecx; mov dword ptr [esp], eax	10_2_0040184E
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004060FD push eax; mov dword ptr [esp], ebx	10_2_004062A3
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004060FD push ebx; mov dword ptr [esp], 00434400h	10_2_004062BE
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004060FD push eax; mov dword ptr [esp], 0040B410h	10_2_00406446
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004060FD push esi; mov dword ptr [esp], 00000001h	10_2_00406505
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004042BC push eax; mov dword ptr [esp], 00435400h	10_2_004042CF
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004042BC push eax; mov dword ptr [esp], 00435400h	10_2_004042F1
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00403141 push edx; mov dword ptr [esp], eax	10_2_00403156
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_0040815B push ebx; mov dword ptr [esp], 0042AF40h	10_2_00408178
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_0040815B push eax; mov dword ptr [esp], 0042AF40h	10_2_004081F0
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00403164 push edi; mov dword ptr [esp], eax	10_2_00403177
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00404375 push ecx; mov dword ptr [esp], ebx	10_2_004043C9
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00404375 push ebx; mov dword ptr [esp], 0000000Bh	10_2_004043E6
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00404375 push eax; mov dword ptr [esp], 00000000h	10_2_00404471
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00404375 push edx; mov dword ptr [esp], eax	10_2_004044AE
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00404375 push eax; mov dword ptr [esp], ebx	10_2_00404590
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00404375 push eax; mov dword ptr [esp], 00435400h	10_2_004046E6
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00404375 push ecx; mov dword ptr [esp], 00427D20h	10_2_0040475B
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00404375 push eax; mov dword ptr [esp], 00427D20h	10_2_004047C0
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00404375 push ebx; mov dword ptr [esp], 00000002h	10_2_00404838
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00401B06 push edx; mov dword ptr [esp], eax	10_2_00401B53
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00401B06 push edi; mov dword ptr [esp], 00412840h	10_2_00401B6A
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00401DB0 push edi; mov dword ptr [esp], eax	10_2_00401E18
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004085B8 push eax; mov dword ptr [esp], ebx	10_2_00408671
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004085B8 push eax; mov dword ptr [esp], ebx	10_2_0040873D
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004085B8 push eax; mov dword ptr [esp], ebx	10_2_00408763
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004085B8 push ecx; mov dword ptr [esp], ebx	10_2_004087E3
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004085B8 push esi; mov dword ptr [esp], ebx	10_2_004087EC

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\4oOqWbJEImqDRLxD75xKRNjm.exe	Jump to dropped file
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_108.0.5067.24_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\S58tmyihHBD6BmCz1ZODtpm0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\GzgoX5V54ke4dVGjS16ex045.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\enc9JdewSUMVCRcBLY1bLbUT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Ledger-Live[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\nnZpB7DttFEiMoRHhyjsMIGz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\nNtGSwumkPliSKVeAx7Sx8Gp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\lLVPG0Pkhk3MeRMVuEfaKb2V.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\fDVyGnt4qkfC1RQX2yjdlha8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\rMuSSyE2z14xNxfrVLVv1kvs.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043944414548.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\sP3BgFXaLWMMa0a6kgrVZ5A3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\C2ytbpXjpVGZQltGJ6eXiuhX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\b1uZ67lknMP13RedpY9EzGAj.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\Users\user\AppData\Local\Temp\IIEHCFIDHI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\DOHofbJiGO0ppvf8BnLjEcOT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\Tux8yeqUanpZipvXA8WXqYc0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\97vQigClUgXPlHCQsrK19F5k.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\f92wGKeu5LyIAhCs4NxRkLxR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\oL06QqFgQZZETtHJ8qOWjQhV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\phZoEhmPHJEnryk70uKpl9zQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\6z1e79d9YW0aNxV6xEjP29XG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\dghB8AfRudM2FLzl5fgKHzMA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\4F7ctSfTyUiwf5E5Jj8ISwxp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\X25zuvF7asVSMm12uFSrccNg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\HHCsqXDqpAXkK1qXCMPkWTES.exe	Jump to dropped file
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043401411604.dll	Jump to dropped file
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043820413232.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\S9FRoySbKySnaEAuJOzqToi9.exe	Jump to dropped file
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\zKY9gVt7bugdAVV29pfHDO1J.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\ro486V1Z7P66nNToWTrVxquk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\kujNjTMPu36kPLMvqPBbpIku.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\XcDOAu7dcqSLvLgCVhDWG4DS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\VF98zhY4QVhDxJpNtAE2TU6d.exe	Jump to dropped file
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043017611524.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\7SwW0NDNOzD4bm2fh2mMH4aC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\B8Lqzc0h0CXWQep40oCdtIvu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\nvMOfQgAbNYiBrdqNEHby9rc.exe	Jump to dropped file
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211045859715840.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\zcKoLXDqvdAUIOoGZ6SAU0N3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\5pdwJpq902hXA5VnaRygPeAf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\LAJLX2OtZ85vzPOftAYRcEsi.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\w9PVG5CKOJz2PxNYSzlQtvrS.exe	Jump to dropped file
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043726914020.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\WmGZEzN2y17TSARkq7CMs3oI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043920313116.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\KV7xIiMtLy0kJUjIxAoYbPAI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\94dy1QqwzgyoJs6C4qGbaLjk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\C9Df3LuwbD9ycdo5E8aI5Wc6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\1OQjrbwH6I3sd8vA3ha6k08p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\Slo3nPYDYKdAC0gOANfeI09y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\0IFrK3aRWk7G6YUjUT8ew0OK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\PgyoyDyjTaeBIiR0ZncnFz3x.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\aFkMZIYV0H3vyPVwOnL9WjBJ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121204471\opera_package	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\alBY3v35R74xONR13b2VtkYE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\PRVOgEotbjGXE8sD4i3FyhZT.exe	Jump to dropped file
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	File created: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\zF1fl3LOa2LapjgwxbfBCS0k.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\YpqMAvbWtKvsPXvu1AiMGUgE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\7yvJjVKbdq1WHJrfxFmH3872.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\QRVPcUOZwKQgBVL5bWKd8sH5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\VgDhRl17mSZEAyX0ktrL58w3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\NUsC1LZWtdLvV2hVDgycM5e6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\BtncwRtgPRnpujyKznLGy9d8.exe	Jump to dropped file
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211044129216532.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\QIllRQrcYueLdSshRqLTqOvP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\WtNveQ4d78dApFTRjzeseQ67.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\tkHy6gygmfOPY9aBah1pIwua.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\MWbupbq1lCIXYvylS8lGgBPD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\i0DLgyxTLlkFBSXC6EtBlR3o.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\nYogaRAZxPLuvJnrVaN7fjAe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043773814148.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\9pxDWajsJYwYwL1brTzHEdek.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\rvy2oX9wb6hdfWfPiYtPw60n.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\hoIRHCmbfleOimlEQBUf6Nsu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\cNYL5IyksZKthNvEJoyBw8Ag.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\EGZvqStEuOZgeHhVMxPhyZjZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\aUJQGrpjjWYYDUiVfYPZvQ7q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\nDHXe5EkxWeixtBE9998831S.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\LKiziaTKHXhXmsyq7iSl6Znq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\MLm2a0TiwOQvrEuSm0y6Hlo4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\jLh2jXNiKaCQ93A91IuQMDiC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_108.0.5067.24_Autoupdate_x64[3].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\LulQEAYQpS9lk1qZLpImyHK7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\tkxNqRBruO0TCZ7E4aLz1RHH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\5QpyioUXq8ASWQahMvzU4ahz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\DG5NfvChXpdFrpWmBrnRWaQb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\xwluxp5OZq2fzKcnUhKN90Gy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\EfWbusCUqNvTcQMtFkj7YUGY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\GfRX4UT2Opv4sOsHjzHHVCjf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Jump to dropped file
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211042526911280.dll	Jump to dropped file
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	File created: C:\Users\user\AppData\Local\Temp\nsvA4F1.tmp\INetC.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\jWtlFlrLdXdhBLj1fOltMT9i.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\dnobo8kquxthKYPbiVKNkBHX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\eqwQ4v4W79HQtYChIL8CXQJj.exe	Jump to dropped file
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121205051\opera_package	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\tlmCvYWISSwVWnUxg9w0yKg0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\7mP2uTTqqwYXFx3CixL6JUmx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\HFiFGl6AR63OLnORhPPDiWeA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\DY8D6dQbgIgJO1SaVNqhiZOW.exe	Jump to dropped file
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043867714488.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\rfKusEcfqkKKVyx19jVITYlO.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\06nVIZvE4iGjgzg643uXiijC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\UIlVvmdU1KS1YgdCPOj7XPRB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\qLEG52WWxIWvDwEETVieoeBU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\rSYsgRim3M5YCzGnR78v4Mm1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\u118vbhgpAsB1DCQ91pKfLua.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\mxmsi31bOIKdEb9VIHBYJshQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\jx4EXQWaWISJJqVjnXD4Dqaz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\QXOXdXIs2CDsFYBPsa07tHNX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\UrT5ltGRxob1yeMhM5Nnnzax.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\KFfdFQJ0GFXA36ymuAOaK0ZR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\g8ZqhZX4Hv3yrSl3yliJsZDM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\UI7LDXaAp2RaeFVHf9g6LwB6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_108.0.5067.24_Autoupdate_x64[2].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\s2A2nVFap842S1hTJXF9l5R8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\XIBzivlqsIPRfzklN9g3VnQx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\leLskzRZPIglQflslvTIwLTy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\n3Yk1EJMr8upEtxmsPsGJQY9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\HN7tYbFl9xu8SJ0TV9kPnV6R.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\03VPbfdR0v0eUJbl3BY2yvWa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\XBfbSv4es0kCeAv5VfvvgpQ7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\rNWlWD0ZgXMhzWvOuALV5nXl.exe	Jump to dropped file
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	File created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\kbk5zLOtlX5KBIypEMa7wHhL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	Jump to dropped file
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2403121104234259124.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\SgphKg63629U7dMJ7gswdhRB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\a3F2iXIaBwCbhUUvTA3BBuOE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\IGVy70B2MbWqfodclXqYMOZv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\aUOQyBDQWpOtJeSIFm10c61i.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\c0Si5Ocs5Hjqmkw7zPRBLU4J.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\lPSfsxgFucUyDCrXpMn2ucYq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\4cq2SZqMHS3XYqkYi9qoDSje.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\pN2O0fDFwQyZhLFu32KEUc8D.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\2xlrDVEKDyhTNLHkwA8DqN66.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\nU8NHI9fYTvNPbiYhk76Vc0l.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\y4lq5SHqKAOV4kY1xCRGbtJI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\dZhcoTSgym1JGRiEQOUqAdeo.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\lpOXM8pg9J4cVKMm0aJJw34A.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\MW0Q5IkKXdDw9nrX6CojJx9n.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\Lx8QrL0pgGPlzgQWZQW3XR1F.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\XgRMsEcdNLhAV5ZMS6q0eNdc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\HfRmesToGDAxeXrQ5sUnZbvw.exe	Jump to dropped file
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\rMuSSyE2z14xNxfrVLVv1kvs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\LiMUMFNfqgHoXxfy9KUypTg9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\B9mSYpwKkVgW9jJSaxBMcATu.exe	Jump to dropped file
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\Lp5WnTgHCMiSZVksHSRp5zyx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\Ge2xGCQPLJT2DzNk3YNjEyuZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\quqghK17OnNCuj9KAvNZQsIX.exe	Jump to dropped file
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211042869310536.dll	Jump to dropped file
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\et1UzaJspSJuRyCxNxPGYCVV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\Ktf4CHbIF92R4VV827YiDPbm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\OHK6a4WIJ0F6rlhWGJwMYrRP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\nrklq6P1CNvXZbzoZhiYO66H.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\SN1mrhiBAGt5YdpSiR94ouLj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\9HGEbLH7EssqmLwFcrlZYSWT.exe	Jump to dropped file
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\Rfsq67IamA4rPpnX6LHMDFkm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\CmAp0DxyhTEj5GF5fAGFiA38.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\Nq9MYb4uPnSDV9cCg1KHXQbW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\HKhPqHszLj6gz3A9XYe5jsNS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\vC3Q85PP4k1yZfTFObCtFF23.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\ShUBAVvG4N04pgkRyyhwlthp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\k6s7peRuTySdHXpiWwpUH9mL.exe	Jump to dropped file
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121204571\opera_package	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\guekS5iP2Ex1XPBodoRkDEP3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\l4uKqmU2WFXWkMNLmByrfqyU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\EwzOUe6vEjttYfeygpeUfeHd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\Jshk17Bukhv7AlOodjXBVX2B.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\gC6HQHcPvsALd84vdJXhjM8b.exe	Jump to dropped file
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\j1XOgROBJfvz0cRzU7rPw7NS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Local\TgGBhjAUKSjQAdgyfPvaMx0f.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121204571\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121204471\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121205051\opera_package	Jump to dropped file

Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312120432506.log
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312120451640.log
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312120439871.log
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312120440744.log
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312120500215.log
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240312120451637.log

Boot Survival

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GqtFjA5wUyMdLuRfwskrpVTo.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jSlH1NDdwZ5sVvpJLaRGlUg3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cu7dRoXaHj4ykdzix5wPfjXx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mJLmefrCsgE5krwk9Oci0Bbw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y3v4PLQ2XJADPLe8uTGKTGBj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JzQd2zNS2LuiFZIBJg0WYcl0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IVOq1djrOaeTxLiPySq6sN5l.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8jCBtnWc1Ir4FhlXpfJLJwbt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\64W1FeA5ZnvYwrYyuSLeSK0I.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pY628AxjApG4YTXlrhGV8yw3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KrG1uWAeN2xCX4UgIRWXMrz7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NSz8C5FjEwzY7lc1l5tTf7Zu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lWyBM6xzEYH8af3JtrgoGLji.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GDW6oyyvh1Tx5s2LyRfh47Sr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qbR2nxvU5YfBQ02xmUe4NkXt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ygAJfFrum1FZrl8um8F1ktaM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZxCxof6FGyd7qDqEPzShgVDy.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bLqhYt9ogAh97MPkvppQVF9X.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\45euY0tWMStjkWwOBWZtGnI0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g36Pj4OeQfT5fsEy942pjuLB.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JttcrlpAPl4aOfhp8XC7VBXP.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VUJ1APavr4g9GBy9emLR2vwj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i8HshVgTCpXiQf6L29fDdtf2.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Me7XLDxydOOLg6FSpuWpJFuG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2QWycgsKSAUaWcb234VluyVy.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XCcXtVNwlBCqsuRQM07uv7xU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pY0QVnYhBROLQVS5oQrN5o7m.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fYZb9ShA44FqrsrhTi1y1tTz.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KfGswAZKZMHpZo4ArOFGPkJi.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gR0lGfIoDtFYzlUhRusWoKhW.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAr5maBkVhXrAaU2xNYDG0Ni.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H4NVC7ZwPA7tQJGraaH0GriF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IHa5q36o0oDSI0oxRh2AwjiE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rAqJNKgRVbKovSMY9qDHSj7d.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6isJJ7wloEiUNIFQIZCrGgvi.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ybfKR4xYXNZBwVs19w5NxNCx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sg2B0JnlYsjOOp9PXVd15s2q.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d1fRvP84Ga9Br7ODiQTXn4vQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MMUVZxTIvuJIWYs0euk86qxA.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lDqIZHzEh5aA9T958bHHuayh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4gIAsw31EaIKBtzY8UpjYqHc.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eWOYF1zwQp5lzVxU2fjmQUeK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vNxTxhnF1jLDF3c3IhQ0ugBn.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t0VeReiJ2D1H7tlhX86CFX2V.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lN6EZkNxV3rXX2qxPicAYE9F.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MCYmcBRyIU8ux2QHjbZuxfqz.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghLXR4xqE410iKbU3cBOmlGw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CjdCWP2sC37ZrV3R6LwCpexO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DAPdCitNhM6K85idSxzFsn9c.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s1E2hy8nTgTiq969cqnOj6it.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f8MQunt0M68AqAW4zdwcL0Ui.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79J3LANQWKbJF2lR4gqU68ES.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mmqKP8XD0uGxtV9TJKNqEzH1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xYZ8ltMxDtErLgr3Gr6hsDwB.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\beH9MpS951FkEDtYIMOxB9PT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xff4reuwezkTHOPHNgaOdMxG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J8yKUFyiGbt768ehGRwDyrcp.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nkgJlCpXnklvIZptbofXvweb.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g3wuBpjd4YSwE1PpTVWpnQ2U.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OyeiCH3bPxPVxTNeTi5EUshF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oheY3Go4pZ1wm0vIDukxGCTy.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vVJWHdlOpVUJxV1xztDPHUw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wO2nme35VyCy2jM8Jkkrv3aB.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XxBWkAwnJl3TYI8aDIgt8atT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6EJHjgRIzjgBosA7d8ecDUNh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V3AtsmKWfYlu7Eug1wlWAH9h.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mVUYVq6R7ZMOQMgpxdxZp1O4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8RikxgyHSlngyCNkLljOoIea.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0J09ro90wH7cLZwlpWjZz8T8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrzJY4SdW5VqRT3oUgzb9jSd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1txDsrfHbBgBylWpI2XKTXX2.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sCaMNwrALXlwWpSshXrS6cdu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pSM2nuIFwq1STBoginT3tgcm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K5EbMQs6xVELU0vVhpEDrOBd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hJyo6w6bfQfja88teforIKdz.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9WqUvEngz5tu4Jus6UqDSeAH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HcKDjXDeVjoAYG9oEwfQ5r7W.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xjfzmzWD1uQBqZzTdHA0H8BM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OgJTlumfhkuuRPLFvr1On9vQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viVdM1bZfxrDUfNurqYFq5oQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f6dPjqM04FFhKPYuWUTKufeU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WHOE8wVBsC06cG3PMXZ41tA4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hQMzrTDrEmEhlXEwSqkI11ka.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bmpPREy9jpg9Y5dahXR78j0C.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ly0vAWTAcIU5cged5BZiiVcK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qCOpGIKJ0lXq2cvfLssuk720.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\562IOAurui1iMq5ZnURlELqJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tyRpv4Ym9bfSQFq5y44ZesRX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\U1hx9WBnTHOidubdRJPbHA8j.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WFLbR91U37oILGhK1Q5GQNWV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ugc0V90naF7CA7jLJhXrOwzq.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MXHxg7qBXVuJrgcu6doi4FNe.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kAkbE0p9XJOYqRS1e4Gf5Dm5.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtdffhNnzdGUOw1Q6n3IszxI.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gN85yFjd6Vx1mOqdlrX804mt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9EVhyPbJZWDMphgwa1d2iYKJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E0t808UD5wPZCrXfVGxoO4mM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l2ChmrDmSS97MQITbBWwabW2.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hDjwSDfdU2qJ2iM65plUxEZr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zZ1vzBEdn1hKBDBvQgosimyo.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ikpPsIJMpIzBG9ZiRh1WNm6b.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qFVilIfcpozbs3MkwKHcvv8j.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JHyB8AKI6HCE6tGU3bnuI5r6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmt1Uz6FR5q2VJqcLQpvqgxZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKmDph5LIywjCE77xYaea19T.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0WOLhTTA42JINQ9Omh8xrRDx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26JlZQCiOjvgSz9otdXlHJBB.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oNve74NBPpA58KkAy4un9IhP.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uHxI55dS46eMPxqmwl14Uvsb.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7d8IogXL4FtHFodng5T2yNKJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u3cUq3l4BLwzorw3WojT8R94.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BVuucCXc4ipTOaEN9UbIG06h.bat	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MCYmcBRyIU8ux2QHjbZuxfqz.bat

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MCYmcBRyIU8ux2QHjbZuxfqz.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghLXR4xqE410iKbU3cBOmlGw.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CjdCWP2sC37ZrV3R6LwCpexO.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nkgJlCpXnklvIZptbofXvweb.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8RikxgyHSlngyCNkLljOoIea.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mVUYVq6R7ZMOQMgpxdxZp1O4.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0J09ro90wH7cLZwlpWjZz8T8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1txDsrfHbBgBylWpI2XKTXX2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sCaMNwrALXlwWpSshXrS6cdu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrzJY4SdW5VqRT3oUgzb9jSd.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bmpPREy9jpg9Y5dahXR78j0C.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kAkbE0p9XJOYqRS1e4Gf5Dm5.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtdffhNnzdGUOw1Q6n3IszxI.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gN85yFjd6Vx1mOqdlrX804mt.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E0t808UD5wPZCrXfVGxoO4mM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\l2ChmrDmSS97MQITbBWwabW2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hDjwSDfdU2qJ2iM65plUxEZr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zZ1vzBEdn1hKBDBvQgosimyo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LKmDph5LIywjCE77xYaea19T.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0WOLhTTA42JINQ9Omh8xrRDx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uHxI55dS46eMPxqmwl14Uvsb.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7d8IogXL4FtHFodng5T2yNKJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u3cUq3l4BLwzorw3WojT8R94.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BVuucCXc4ipTOaEN9UbIG06h.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KfGswAZKZMHpZo4ArOFGPkJi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NAr5maBkVhXrAaU2xNYDG0Ni.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6isJJ7wloEiUNIFQIZCrGgvi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MMUVZxTIvuJIWYs0euk86qxA.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79J3LANQWKbJF2lR4gqU68ES.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\beH9MpS951FkEDtYIMOxB9PT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OyeiCH3bPxPVxTNeTi5EUshF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\J8yKUFyiGbt768ehGRwDyrcp.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XxBWkAwnJl3TYI8aDIgt8atT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V3AtsmKWfYlu7Eug1wlWAH9h.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hJyo6w6bfQfja88teforIKdz.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OgJTlumfhkuuRPLFvr1On9vQ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\562IOAurui1iMq5ZnURlELqJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ugc0V90naF7CA7jLJhXrOwzq.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JHyB8AKI6HCE6tGU3bnuI5r6.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26JlZQCiOjvgSz9otdXlHJBB.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oNve74NBPpA58KkAy4un9IhP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JttcrlpAPl4aOfhp8XC7VBXP.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i8HshVgTCpXiQf6L29fDdtf2.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Me7XLDxydOOLg6FSpuWpJFuG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pY0QVnYhBROLQVS5oQrN5o7m.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IHa5q36o0oDSI0oxRh2AwjiE.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gR0lGfIoDtFYzlUhRusWoKhW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ybfKR4xYXNZBwVs19w5NxNCx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lDqIZHzEh5aA9T958bHHuayh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sg2B0JnlYsjOOp9PXVd15s2q.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vNxTxhnF1jLDF3c3IhQ0ugBn.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lN6EZkNxV3rXX2qxPicAYE9F.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s1E2hy8nTgTiq969cqnOj6it.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mmqKP8XD0uGxtV9TJKNqEzH1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xff4reuwezkTHOPHNgaOdMxG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oheY3Go4pZ1wm0vIDukxGCTy.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vVJWHdlOpVUJxV1xztDPHUw.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9WqUvEngz5tu4Jus6UqDSeAH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HcKDjXDeVjoAYG9oEwfQ5r7W.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viVdM1bZfxrDUfNurqYFq5oQ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f6dPjqM04FFhKPYuWUTKufeU.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ly0vAWTAcIU5cged5BZiiVcK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hQMzrTDrEmEhlXEwSqkI11ka.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tyRpv4Ym9bfSQFq5y44ZesRX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MXHxg7qBXVuJrgcu6doi4FNe.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9EVhyPbJZWDMphgwa1d2iYKJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ikpPsIJMpIzBG9ZiRh1WNm6b.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qFVilIfcpozbs3MkwKHcvv8j.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmt1Uz6FR5q2VJqcLQpvqgxZ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pY628AxjApG4YTXlrhGV8yw3.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NSz8C5FjEwzY7lc1l5tTf7Zu.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GDW6oyyvh1Tx5s2LyRfh47Sr.bat

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

15_2_00416240

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\dZhcoTSgym1JGRiEQOUqAdeo.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\dZhcoTSgym1JGRiEQOUqAdeo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\dZhcoTSgym1JGRiEQOUqAdeo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\dZhcoTSgym1JGRiEQOUqAdeo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\rfKusEcfqkKKVyx19jVITYlO.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\rfKusEcfqkKKVyx19jVITYlO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\rfKusEcfqkKKVyx19jVITYlO.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\rfKusEcfqkKKVyx19jVITYlO.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\mxmsi31bOIKdEb9VIHBYJshQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\jLh2jXNiKaCQ93A91IuQMDiC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\VF98zhY4QVhDxJpNtAE2TU6d.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\VF98zhY4QVhDxJpNtAE2TU6d.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\VF98zhY4QVhDxJpNtAE2TU6d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\VF98zhY4QVhDxJpNtAE2TU6d.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_15-23384

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Memory allocated: 28B2BC60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Memory allocated: 28B45530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 2960000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 4E30000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 7370000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 8370000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 84F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 94F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 97F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: A7F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 84F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: BBF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: CBF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 7BF0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 81F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 91F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: A1F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: B9F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: C9F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Memory allocated: 91F0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598995
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598476
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596866
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595682
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 587563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 587156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 586172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 583953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 583391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 581641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 581063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 580656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 580357
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 580046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 579654
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 579054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 578632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 578387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 578054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 577765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 577421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 577124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 576655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 576258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 575885
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 575374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 574921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 574499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 573876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 573459
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 572938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 572429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 571816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 571261
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 570870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 570276
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 569410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 564751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 562369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 560882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 558422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 558189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 557608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 556800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 555955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 554792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 554433
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 553979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 553729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 553605
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 553450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 553172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552365
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 551996
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 551880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 551690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 551525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 551403
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 548777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 548456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 548126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 546949
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 546767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 546640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 546505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 546332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 546122
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 544854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 544662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 544469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 544286
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 543968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 543770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 543564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 543330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 543192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 542998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 542820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 542630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 542438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 542283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 542104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 541899
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 541642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 541445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 541218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 541044
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 540831
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 540694
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 540373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 540169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 539984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 539798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 539496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 539241
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 538992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 538769
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 538484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 538215
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 537992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 537800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 537671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 537418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 537185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 537002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 536740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 536488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 536280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 536094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 535874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 535699
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 535494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 535258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 535102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 534938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 534779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 534622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 534408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 534220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 534049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 533620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 532975
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 532682
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 532455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 532291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 532103
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 531902
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 531741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 531583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 531370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 531188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 530852
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 530712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 530587
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 530460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 530343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 530178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529975
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 528954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 528777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 528594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 528448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 528137
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527683
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527493
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 526890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 526668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 526471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 526343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 526148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 525994
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 525485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 525184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 524983
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 524410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 524168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 523772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 523393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 523111
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 522738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 522181
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 521737
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 521386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 521042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 520685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 520366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 519734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 519248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 518358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 517845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 516778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 516037
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 515112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 514403
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 514075
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 513519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 512975
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 512395
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 511840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 511386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 510854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 510465
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 510120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 509761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 509368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 509037
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 508726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 508388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 507953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 507585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 507249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 506926
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 506566
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 506374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 506160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505995
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502889
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502769
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502346
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 501851
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 501738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 501609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 501501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 501375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 501173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 500880

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Window / User API: threadDelayed 505	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Window / User API: threadDelayed 4808	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6429	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Window / User API: threadDelayed 7478

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\4cq2SZqMHS3XYqkYi9qoDSje.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\4oOqWbJEImqDRLxD75xKRNjm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_108.0.5067.24_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\nU8NHI9fYTvNPbiYhk76Vc0l.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\y4lq5SHqKAOV4kY1xCRGbtJI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211042526911280.dll	Jump to dropped file
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043726914020.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\GzgoX5V54ke4dVGjS16ex045.exe	Jump to dropped file
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsvA4F1.tmp\INetC.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\MW0Q5IkKXdDw9nrX6CojJx9n.exe	Jump to dropped file
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043920313116.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Ledger-Live[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\eqwQ4v4W79HQtYChIL8CXQJj.exe	Jump to dropped file
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121205051\opera_package	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\7mP2uTTqqwYXFx3CixL6JUmx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\fDVyGnt4qkfC1RQX2yjdlha8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\HFiFGl6AR63OLnORhPPDiWeA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\rMuSSyE2z14xNxfrVLVv1kvs.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043944414548.dll	Jump to dropped file
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121204471\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043867714488.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\C2ytbpXjpVGZQltGJ6eXiuhX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\sP3BgFXaLWMMa0a6kgrVZ5A3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IIEHCFIDHI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\u118vbhgpAsB1DCQ91pKfLua.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Ge2xGCQPLJT2DzNk3YNjEyuZ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211042869310536.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\jx4EXQWaWISJJqVjnXD4Dqaz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211044129216532.dll	Jump to dropped file
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_108.0.5067.24_Autoupdate_x64[2].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\OHK6a4WIJ0F6rlhWGJwMYrRP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\leLskzRZPIglQflslvTIwLTy.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\dghB8AfRudM2FLzl5fgKHzMA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\nrklq6P1CNvXZbzoZhiYO66H.exe	Jump to dropped file
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043773814148.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\CmAp0DxyhTEj5GF5fAGFiA38.exe	Jump to dropped file
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043401411604.dll	Jump to dropped file
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043820413232.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\S9FRoySbKySnaEAuJOzqToi9.exe	Jump to dropped file
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403121204571\opera_package	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\l4uKqmU2WFXWkMNLmByrfqyU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kujNjTMPu36kPLMvqPBbpIku.exe	Jump to dropped file
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2403121104234259124.dll	Jump to dropped file
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\Opera_108.0.5067.24_Autoupdate_x64[3].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\EwzOUe6vEjttYfeygpeUfeHd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SgphKg63629U7dMJ7gswdhRB.exe	Jump to dropped file
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211043017611524.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\lPSfsxgFucUyDCrXpMn2ucYq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\B8Lqzc0h0CXWQep40oCdtIvu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\xwluxp5OZq2fzKcnUhKN90Gy.exe	Jump to dropped file
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_24031211045859715840.dll	Jump to dropped file

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -99871s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -99765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -99546s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -99435s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -99316s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -99078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -98953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -98839s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -98727s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -98609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -98448s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -98326s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -98218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe TID: 7228	Thread sleep time: -98078s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8104	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 43984	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8360	Thread sleep count: 7478 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -599781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -599640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -599502s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -599375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -599265s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -599154s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -598995s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -598839s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -598719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -598592s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -598476s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -598374s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -598280s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -598094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -597938s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -597779s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -597642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -597422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -597219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -597000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -596866s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -596766s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -596537s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -596360s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -596232s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -596086s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -595891s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -595682s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -595533s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -595297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -594953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 43984	Thread sleep time: -1800000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -594610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -594188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -593828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -593485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -593156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -592828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -592485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -592156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -591688s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -591266s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -590672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -590141s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -589750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -589219s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -588781s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -588438s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -588031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -587563s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -587156s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -586172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -583953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -583391s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -582825s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -582422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -582063s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -581641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -581063s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -580656s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -580357s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -580046s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -579654s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -579054s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -578632s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -578387s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -578054s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -577765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -577421s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -577124s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -576655s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -576258s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -575885s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -575374s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -574921s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -574499s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -573876s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -573459s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -572938s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -572429s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -571816s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -571261s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -570870s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -570276s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -569410s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -564751s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -562369s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -560882s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -558422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -558189s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -557608s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -556800s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -555955s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -554792s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -554433s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -553979s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -553729s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -553605s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -553450s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -553172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -552969s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -552797s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -552668s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -552539s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -552365s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -552239s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -552108s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -551996s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -551880s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -551690s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -551525s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -551403s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -548777s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -548456s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -548126s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -547981s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -547797s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -547653s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -547490s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -547364s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -547243s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -547095s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -546949s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -546767s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -546640s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -546505s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -546332s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -546122s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -545952s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -545754s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -545562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -545388s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -545190s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -545018s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -544854s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -544662s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -544469s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -544286s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -543968s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -543770s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -543564s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -543330s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -543192s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -542998s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -542820s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -542630s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -542438s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -542283s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -542104s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -541899s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -541642s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -541445s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -541218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -541044s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -540831s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -540694s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -540373s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -540169s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -539984s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -539798s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -539496s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -539241s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -538992s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -538769s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -538484s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -538215s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -537992s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -537800s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -537671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -537418s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -537185s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -537002s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -536740s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -536488s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -536280s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -536094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -535874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -535699s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -535494s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -535258s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -535102s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -534938s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -534779s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -534622s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -534408s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -534220s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -534049s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -533620s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -532975s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -532682s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -532455s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -532291s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -532103s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -531902s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -531741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -531583s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -531370s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -531188s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -530852s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -530712s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -530587s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -530460s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -530343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -530178s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -529975s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -529801s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -529679s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -529543s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -529424s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -529202s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -528954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -528777s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -528594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -528448s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -528137s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -527981s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -527839s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -527683s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -527493s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -527349s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -527224s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -527058s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -526890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -526668s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -526471s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -526343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -526148s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -525994s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -525485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -525184s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -524983s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -524410s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -524168s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -523772s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -523393s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -523111s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -522738s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -522181s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -521737s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -521386s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -521042s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -520685s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -520366s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -519734s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -519248s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -518358s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -517845s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -516778s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -516037s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -515112s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -514403s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -514075s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -513519s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -512975s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -512395s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -511840s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -511386s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -510854s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -510465s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -510120s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -509761s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -509368s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -509037s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -508726s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -508388s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -507953s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -507585s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -507249s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -506926s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -506566s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -506374s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -506160s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -505995s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -505868s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -505760s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -505620s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -505422s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -505275s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -505162s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -504939s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -504794s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -504679s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -504499s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -504386s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -504250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -504124s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -504013s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -503903s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -503763s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -503649s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -503494s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -503364s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -503244s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -503133s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -503014s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -502889s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -502769s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -502591s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -502472s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -502346s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -502133s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -502025s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -501851s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -501738s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -501609s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -501501s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -501375s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -501173s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 8092	Thread sleep time: -500880s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Last function: Thread delayed

Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation

Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_00408123 FindFirstFileA,FindClose,	10_2_00408123
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_004085B8 DeleteFileA,DeleteFileA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	10_2_004085B8
Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe	Code function: 10_2_0040342B FindFirstFileA,	10_2_0040342B
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	15_2_00412570
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	15_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	15_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	15_2_00411650
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	15_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	15_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	15_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	15_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	15_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006AB877 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	15_2_006AB877
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B2457 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	15_2_006B2457
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006A1827 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	15_2_006A1827
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006AD427 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	15_2_006AD427
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B18B7 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	15_2_006B18B7
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B1DE7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	15_2_006B1DE7
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006ADDC7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	15_2_006ADDC7
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B27D7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	15_2_006B27D7
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006AD7A7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	15_2_006AD7A7
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001CCF22 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	31_1_001CCF22

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Code function: 15_2_00401120 GetSystemInfo,ExitProcess,

15_2_00401120

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 99871	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 99546	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 99435	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 99316	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 99078	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 98953	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 98839	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 98727	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 98609	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 98448	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 98326	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Thread delayed: delay time: 98078	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599265
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 599154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598995
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598592
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598476
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 598094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 597000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596866
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596232
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 596086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595682
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595533
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 595297
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 594188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 593156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 592156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 591266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 590141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 589219
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 588031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 587563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 587156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 586172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 583953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 583391
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 582063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 581641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 581063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 580656
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 580357
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 580046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 579654
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 579054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 578632
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 578387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 578054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 577765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 577421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 577124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 576655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 576258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 575885
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 575374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 574921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 574499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 573876
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 573459
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 572938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 572429
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 571816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 571261
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 570870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 570276
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 569410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 564751
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 562369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 560882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 558422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 558189
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 557608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 556800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 555955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 554792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 554433
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 553979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 553729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 553605
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 553450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 553172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552365
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552239
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 552108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 551996
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 551880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 551690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 551525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 551403
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 548777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 548456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 548126
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 547095
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 546949
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 546767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 546640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 546505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 546332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 546122
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 545018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 544854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 544662
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 544469
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 544286
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 543968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 543770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 543564
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 543330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 543192
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 542998
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 542820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 542630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 542438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 542283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 542104
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 541899
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 541642
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 541445
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 541218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 541044
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 540831
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 540694
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 540373
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 540169
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 539984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 539798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 539496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 539241
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 538992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 538769
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 538484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 538215
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 537992
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 537800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 537671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 537418
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 537185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 537002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 536740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 536488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 536280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 536094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 535874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 535699
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 535494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 535258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 535102
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 534938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 534779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 534622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 534408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 534220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 534049
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 533620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 532975
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 532682
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 532455
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 532291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 532103
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 531902
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 531741
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 531583
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 531370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 531188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 530852
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 530712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 530587
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 530460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 530343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 530178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529975
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529801
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 529202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 528954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 528777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 528594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 528448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 528137
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527981
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527839
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527683
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527493
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527224
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 527058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 526890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 526668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 526471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 526343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 526148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 525994
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 525485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 525184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 524983
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 524410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 524168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 523772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 523393
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 523111
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 522738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 522181
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 521737
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 521386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 521042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 520685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 520366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 519734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 519248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 518358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 517845
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 516778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 516037
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 515112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 514403
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 514075
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 513519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 512975
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 512395
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 511840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 511386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 510854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 510465
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 510120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 509761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 509368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 509037
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 508726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 508388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 507953
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 507585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 507249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 506926
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 506566
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 506374
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 506160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505995
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505422
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505275
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 505162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504679
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504386
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 504013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503903
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503649
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 503014
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502889
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502769
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502346
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502133
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 502025
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 501851
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 501738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 501609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 501501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 501375
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 501173
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 500880

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363415183.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW{
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: ><'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWVE
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000003.1920722672.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 0000000F.00000002.2877720615.000000000086E000.00000004.00000020.00020000.00000000.sdmp, syncUpd.exe, 0000000F.00000003.2281435291.000000000089F000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2387931999.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410615687.0000000000E48000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001666000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s\|%s%s\|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000843000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: main.isRunningInsideVMWare
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: syncUpd.exe, 0000000F.00000002.2877720615.0000000000848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2387931999.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000F11000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000F11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWJ
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:**@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	Binary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	API call chain: ExitProcess graph end node	graph_15-24405
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	API call chain: ExitProcess graph end node	graph_15-23369
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	API call chain: ExitProcess graph end node	graph_15-23391
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	API call chain: ExitProcess graph end node	graph_15-23372
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	API call chain: ExitProcess graph end node	graph_15-23390
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	API call chain: ExitProcess graph end node	graph_15-23383
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	API call chain: ExitProcess graph end node	graph_15-23212
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	API call chain: ExitProcess graph end node	graph_15-23413

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Code function: 15_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

15_2_00417B4E

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

15_2_00416240

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00415DC0 mov eax, dword ptr fs:[00000030h]	15_2_00415DC0
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006A092B mov eax, dword ptr fs:[00000030h]	15_2_006A092B
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B6027 mov eax, dword ptr fs:[00000030h]	15_2_006B6027
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006A0D90 mov eax, dword ptr fs:[00000030h]	15_2_006A0D90
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00833643 push dword ptr fs:[00000030h]	15_2_00833643

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Code function: 15_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

15_2_00404C70

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00419DC7 SetUnhandledExceptionFilter,	15_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006BA02E SetUnhandledExceptionFilter,	15_2_006BA02E
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B7DB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_006B7DB5
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B7644 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_006B7644
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001B205C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_1_001B205C
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001B1ACE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_1_001B1ACE
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: 31_1_001C8F26 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_1_001C8F26

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe

Section unmapped: unknown base address: 400000

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		15_2_00415D00
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: 15_2_006B5F67 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		15_2_006B5F67

Writes to foreign memory regions

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 404000	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 406000	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: AAF008	Jump to behavior

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe "C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe "C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe "C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe "C:\Users\user\Pictures\wQ9dgKtBZDeIUddSVpW8BvEm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe "C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe "C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe "C:\Users\user\Pictures\3iX1J0J7PXcnIfnf5KGl849r.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe "C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe "C:\Users\user\Pictures\H1Mms5Gptfho9VyHt62sHSNN.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe "C:\Users\user\Pictures\VWhRbFHRqImCr0UdFf6QtJNt.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe "C:\Users\user\Pictures\f2CDTsUNlMadewChtQe3a8Da.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe "C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\dZhcoTSgym1JGRiEQOUqAdeo.exe "C:\Users\user\Pictures\dZhcoTSgym1JGRiEQOUqAdeo.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\rfKusEcfqkKKVyx19jVITYlO.exe "C:\Users\user\Pictures\rfKusEcfqkKKVyx19jVITYlO.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe "C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe "C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\mxmsi31bOIKdEb9VIHBYJshQ.exe "C:\Users\user\Pictures\mxmsi31bOIKdEb9VIHBYJshQ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe "C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe "C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\jLh2jXNiKaCQ93A91IuQMDiC.exe "C:\Users\user\Pictures\jLh2jXNiKaCQ93A91IuQMDiC.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Users\user\Pictures\VF98zhY4QVhDxJpNtAE2TU6d.exe "C:\Users\user\Pictures\VF98zhY4QVhDxJpNtAE2TU6d.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Process created: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4b21c8,0x6c4b21d4,0x6c4b21e0
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Process created: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d4,0x300,0x6b8021c8,0x6b8021d4,0x6b8021e0
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	Process created: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x304,0x6bd721c8,0x6bd721d4,0x6bd721e0
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	Process created: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6ae821c8,0x6ae821d4,0x6ae821e0
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	Process created: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a9c21c8,0x6a9c21d4,0x6a9c21e0
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	Process created: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a5021c8,0x6a5021d4,0x6a5021e0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Process created: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe c:\users\user\pictures\rmussye2z14xnxfrvlvv1kvs.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4b21c8,0x6c4b21d4,0x6c4b21e0
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Process created: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe c:\users\user\pictures\upwyhcua3tbsx6l2qc9szcbh.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d4,0x300,0x6b8021c8,0x6b8021d4,0x6b8021e0
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	Process created: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe c:\users\user\pictures\rfsq67iama4rppnx6lhmdfkm.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x304,0x6bd721c8,0x6bd721d4,0x6bd721e0
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	Process created: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe c:\users\user\pictures\zky9gvt7bugdavv29pfhdo1j.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6ae821c8,0x6ae821d4,0x6ae821e0
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	Process created: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe c:\users\user\pictures\j1xogrobjfvz0crzu7rpw7ns.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a9c21c8,0x6a9c21d4,0x6a9c21e0
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	Process created: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe c:\users\user\pictures\2n6azsnlktkxjnmzwvg8ou1l.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a5021c8,0x6a5021d4,0x6a5021e0
Source: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe	Process created: C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe c:\users\user\pictures\rmussye2z14xnxfrvlvv1kvs.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c4b21c8,0x6c4b21d4,0x6c4b21e0
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Process created: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe c:\users\user\pictures\upwyhcua3tbsx6l2qc9szcbh.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d4,0x300,0x6b8021c8,0x6b8021d4,0x6b8021e0
Source: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe	Process created: C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe c:\users\user\pictures\rfsq67iama4rppnx6lhmdfkm.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x304,0x6bd721c8,0x6bd721d4,0x6bd721e0
Source: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe	Process created: C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe c:\users\user\pictures\zky9gvt7bugdavv29pfhdo1j.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6ae821c8,0x6ae821d4,0x6ae821e0
Source: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe	Process created: C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe c:\users\user\pictures\j1xogrobjfvz0crzu7rpw7ns.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a9c21c8,0x6a9c21d4,0x6a9c21e0
Source: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe	Process created: C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe c:\users\user\pictures\2n6azsnlktkxjnmzwvg8ou1l.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6a5021c8,0x6a5021d4,0x6a5021e0

Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp	Binary or memory string: ..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324
Source: UPwYHcUA3TbsX6l2qc9SZcBH.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe	Binary or memory string: Progman

Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe

Code function: 31_1_001B1C3F cpuid

31_1_001B1C3F

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	15_2_00414570
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	15_2_006B47D7
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: GetLocaleInfoW,	31_1_001CC83D
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: EnumSystemLocalesW,	31_1_001CC912
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: GetLocaleInfoW,	31_1_001CC95D
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	31_1_001CCA04
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	31_1_001CC29F
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: GetLocaleInfoW,	31_1_001CCB0A
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: EnumSystemLocalesW,	31_1_001C832B
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: EnumSystemLocalesW,	31_1_001CC4F0
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	31_1_001CC58B
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: GetLocaleInfoW,	31_1_001C7DEB
Source: C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe	Code function: EnumSystemLocalesW,	31_1_001CC7DE

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Users\user\Desktop\3SqWYf8qFi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3SqWYf8qFi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Code function: 15_2_00414450 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

15_2_00414450

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Code function: 15_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

15_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Code function: 15_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

15_2_004144B0

Source: C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe

10_2_00404375

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Users\user\Desktop\3SqWYf8qFi.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\user\Pictures\jpm6qF5Qiq3f7hmREIabTmaO.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\user\Pictures\dC7amCutZVjsSWxQ9FIlZYqw.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Glupteba

Source: Yara match	File source: 38.1.VF98zhY4QVhDxJpNtAE2TU6d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.f2CDTsUNlMadewChtQe3a8Da.exe.3690000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000001.2270329448.0000000000843000.00000040.00000001.01000000.0000002A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f2CDTsUNlMadewChtQe3a8Da.exe PID: 10968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VF98zhY4QVhDxJpNtAE2TU6d.exe PID: 14320, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 15.2.syncUpd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.syncUpd.exe.6a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.syncUpd.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.syncUpd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.syncUpd.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.syncUpd.exe.6a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000003.1947105334.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2876636083.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2877180819.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000000F.00000002.2877720615.0000000000848000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: syncUpd.exe PID: 9392, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 15.2.syncUpd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.syncUpd.exe.6a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.syncUpd.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.syncUpd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.syncUpd.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.syncUpd.exe.6a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000003.1947105334.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2876636083.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2877180819.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: syncUpd.exe PID: 9392, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\syncUpd.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Source: Yara match

File source: Process Memory Space: syncUpd.exe PID: 9392, type: MEMORYSTR

Remote Access Functionality

Yara detected Glupteba

Source: Yara match	File source: 38.1.VF98zhY4QVhDxJpNtAE2TU6d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.3.f2CDTsUNlMadewChtQe3a8Da.exe.3690000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000026.00000001.2270329448.0000000000843000.00000040.00000001.01000000.0000002A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.2076235587.0000000003AD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: f2CDTsUNlMadewChtQe3a8Da.exe PID: 10968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VF98zhY4QVhDxJpNtAE2TU6d.exe PID: 14320, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 15.2.syncUpd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.syncUpd.exe.6a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.syncUpd.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.syncUpd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.syncUpd.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.syncUpd.exe.6a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000003.1947105334.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2876636083.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2877180819.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 0000000F.00000002.2877720615.0000000000848000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: syncUpd.exe PID: 9392, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 15.2.syncUpd.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.syncUpd.exe.6a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.syncUpd.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.syncUpd.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.syncUpd.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.syncUpd.exe.6a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000003.1947105334.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2876636083.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2877180819.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: syncUpd.exe PID: 9392, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	1 Windows Management Instrumentation	11 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	412 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	21 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Command and Scripting Interpreter	Login Hook	Login Hook	21 Software Packing	NTDS	147 System Information Discovery	Distributed Component Object Model	Input Capture	1 Proxy	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	131 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	131 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	131 Virtualization/Sandbox Evasion	Proc Filesystem	13 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3SqWYf8qFi.exe	18%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
3SqWYf8qFi.exe	25%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\DG5NfvChXpdFrpWmBrnRWaQb.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\9pxDWajsJYwYwL1brTzHEdek.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\9HGEbLH7EssqmLwFcrlZYSWT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\5QpyioUXq8ASWQahMvzU4ahz.exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	Virustotal	Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	Virustotal	Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Virustotal	Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Virustotal	Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Virustotal	Browse
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	Virustotal	Browse

Name	Malicious	Antivirus Detection	Reputation
http://185.172.128.145/3cd2b41cbde8fc9c.php	true
185.172.128.145/3cd2b41cbde8fc9c.php	true

URLs from Memory and Binaries

Name	Source	Malicious
https://desktop-netinstaller-sub.osp.opera.software/y	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.0000000001666000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/chrome_newtab	syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/Security	rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	false
https://legal.opera.com/terms	UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/t	UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000F11000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.145/15f649199f40275b/freebl3.dll	syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/o	UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2387931999.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp	false
https://help.opera.com/latest/	UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	false
https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=10	2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363415183.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/l	rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/k	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false
https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1E	j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2417221880.0000000045A9C000.00000004.00001000.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2417196433.0000000045A8C000.00000004.00001000.00020000.00000000.sdmp	false
https://policies.google.com/terms;	UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	false
https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=1	UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2361773425.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2444214649.000000003F6E0000.00000004.00001000.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2379241385.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2410307403.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2430979117.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2393171018.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2435436063.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442781384.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2436840383.000000003F734000.00000004.00001000.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2372910856.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2417196433.0000000045A8C000.00000004.00001000.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2408410558.0000000045B34000.00000004.00001000.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2425396629.00000000380E0000.00000004.00001000.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363345584.0000000000C32000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363415183.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp	false
http://autoupdate-staging.services.ams.osa/	UPwYHcUA3TbsX6l2qc9SZcBH.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe	false
http://185.172.128.187/ping.php?substr=two	vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/b	2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.187/Ledger-Live.exe3	syncUpd.exe, 0000000F.00000002.3205646166.0000000026F06000.00000004.00000020.00020000.00000000.sdmp	false
http://localhost:3001api/prefs/?product=$1&version=$2..	UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	false
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	false
https://www.opera.com/download/	UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	false
http://185.172.128.145/15f649199f40275b/vcruntime140.dllo	syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/X	zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/W	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/V	2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363415183.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.187/Ledger-Live.exe_	syncUpd.exe, 0000000F.00000002.3205646166.0000000026F06000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/U	j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2407930928.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2404639801.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414780293.0000000000FBA000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryera.software	2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423730656.00000000034C0000.00000004.00000020.00020000.00000000.sdmp	false
https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64uh#	zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2884161745.00000000010A1000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/v1/b	zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010A1000.00000004.00000020.00020000.00000000.sdmp	false
https://download3.operacdn.com/	rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/E	j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F14000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.145/15f649199f40275b/mozglue.dll	syncUpd.exe, 0000000F.00000002.2877720615.000000000089F000.00000004.00000020.00020000.00000000.sdmp	false
https://turnitin.com/robot/crawlerinfo.html)cannot	f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/A	rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.187/Ledger-Live.exeT	syncUpd.exe, 0000000F.00000002.3205646166.0000000026F06000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/?	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.187/Ledger-Live.exeposition:	syncUpd.exe, 0000000F.00000002.2876636083.0000000000447000.00000040.00000001.01000000.0000000D.sdmp	false
https://crashpad.chromium.org/	UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	false
https://addons.opera.com/en/extensions/details/dify-cashback/	j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryncO	2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	false
https://download3.operacdn.com/$	j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	false
https://autoupdate.geo.opera.com/geolocation/	UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2422974806.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2409772902.0000000000B74000.00000004.00000020.00020000.00000000.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	false
https://crashstats-collector.opera.com/collector/submit	j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2506090579.0000000001430000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2499037489.0000000001280000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2521237730.000000004CA5C000.00000004.00001000.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryera.software_	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	false
https://opera.com/privacy	UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	false
http://185.172.128.90/cpa/ping.php?substr=two&s=ab/SILENT/TOSTACK/NOCANCELgethttp://185.172.128.187/	vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.2057372935.0000000002E3D000.00000004.00000020.00020000.00000000.sdmp, vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false
https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x648b	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryUS)	2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	false
https://gamemaker.io)	UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	false
http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching	UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	false
http://https://_bad_pdb_file.pdb	f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003D5B000.00000004.00001000.00020000.00000000.sdmp	false
http://185.172.128.187/	vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryur	rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	false
http://nsis.sf.net/NSIS_Error	vkIsjAzkgrOzUK7uj2IHc9JM.exe, vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000000.1843284935.000000000040B000.00000002.00000001.01000000.0000000A.sdmp, 3iX1J0J7PXcnIfnf5KGl849r.exe, 00000011.00000000.1859837097.000000000040B000.00000002.00000001.01000000.0000000B.sdmp, H1Mms5Gptfho9VyHt62sHSNN.exe, 00000014.00000000.1948458807.000000000040B000.00000002.00000001.01000000.0000001B.sdmp, VWhRbFHRqImCr0UdFf6QtJNt.exe, 00000016.00000000.1943621838.000000000040B000.00000002.00000001.01000000.00000014.sdmp, mxmsi31bOIKdEb9VIHBYJshQ.exe, 00000021.00000000.2047728912.000000000040B000.00000002.00000001.01000000.00000026.sdmp, jLh2jXNiKaCQ93A91IuQMDiC.exe, 00000025.00000000.2064292451.000000000040B000.00000002.00000001.01000000.00000027.sdmp	false
http://www.google.com/feedfetcher.html)HKLM	f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	false
https://blockchain.infoindex	VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	false
https://gamemaker.io/en/get.	UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	false
https://gamemaker.io	UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryCa	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.90/cpa/ping.php?substr=two&s=ab	vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp, vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.2057372935.0000000002E3D000.00000004.00000020.00020000.00000000.sdmp, vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.000000000067E000.00000004.00000020.00020000.00000000.sdmp	false
https://redir.opera.com/www.opera.com/firstrun/?utm_campaign=767&utm_medium=apb&utm_source=mkt&http_	j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2416720122.0000000045A40000.00000004.00001000.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2408410558.0000000045B34000.00000004.00001000.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2425396629.00000000380E0000.00000004.00001000.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2363345584.0000000000C32000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2389660858.0000000038134000.00000004.00001000.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/P(s	UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000EAD000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2387931999.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410715389.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/r-sub.osp.opera.software/	rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000165B000.00000004.00000020.00020000.00000000.sdmp	false
https://download3.operacdn.com/ftp/pub/opera/desktop/108.0.5067.24/win/Opera_108.0.5067.24_Autoupdat	j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F14000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2387931322.0000000000FB2000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414738796.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2404639801.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000003.2388133805.0000000000FC7000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/v1/binarynt	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryMt	2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2401048572.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2423165911.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2381790231.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2382378174.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000003.2391593565.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp	false
https://crashpad.chromium.org/bug/new	UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	false
http://185.172.128.145/15f649199f40275b/sqlite3.dlllLx	syncUpd.exe, 0000000F.00000003.2281435291.000000000089F000.00000004.00000020.00020000.00000000.sdmp	false
https://download.opera.com/download/get/?id=65199&autoupdate=1&ni=1&stream=stable&utm_campaign=767&u	rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2796662559.000000000164C000.00000004.00000020.00020000.00000000.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2820867767.0000000029B34000.00000004.00001000.00020000.00000000.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 0000000C.00000003.2356908534.0000000001653000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2407180517.000000002E134000.00000004.00001000.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2412352500.000000002E0E0000.00000004.00001000.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2364591268.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000003.2378402420.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2444214649.000000003F6E0000.00000004.00001000.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2379241385.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2410307403.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2430979117.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2393171018.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2435436063.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442781384.0000000001676000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2436840383.000000003F734000.00000004.00001000.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2368162064.0000000001118000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010A5000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010A1000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2884161745.00000000010A1000.00000004.00000020.00020000.00000000.sdmp	false
https://autoupdate.geo.opera.com/9F	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryetmsg.dll.mui	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010FB000.00000004.00000020.00020000.00000000.sdmp	false
https://crashstats-collector.opera.com/collector/submitL	j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2515439121.000000004CA24000.00000004.00001000.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2521237730.000000004CA5C000.00000004.00001000.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/DllFuncName	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.145/15f649199f40275b/sqlite3.dll	syncUpd.exe, 0000000F.00000003.2281435291.000000000089F000.00000004.00000020.00020000.00000000.sdmp	false
https://autoupdate.geo.opera.com/_Event_	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false
https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64Cb	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	syncUpd.exe, 0000000F.00000003.2281275820.00000000008F6000.00000004.00000020.00020000.00000000.sdmp	false
https://download.opera.com/download/get/?id=65171&autoupdate=1&ni=19F	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2381346872.0000000001610000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.187/v	vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	false
http://search.msn.com/msnbot.htm)msnbot/1.1	f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/ssContentHintDecodeExDllFuncNamew	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2433684677.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2412912542.000000000161C000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000003.2395053147.0000000001612000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442648907.000000000161C000.00000004.00000020.00020000.00000000.sdmp	false
https://legal.opera.com/eula/computers	UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	false
https://crashstats-collector.opera.com/collector/submit--annotation=channel=Stable--annotation=plat=	Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2456981913.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2458031390.000000005C814000.00000004.00001000.00020000.00000000.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2514125929.000000004CA14000.00000004.00001000.00020000.00000000.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/v1/binaryera.softwarest	UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2410615687.0000000000EA3000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.145/3cd2b41cbde8fc9c.php0d62641a64885f84d53bf1676aabn	syncUpd.exe, 0000000F.00000002.2876636083.0000000000447000.00000040.00000001.01000000.0000000D.sdmp	false
https://desktop-netinstaller-sub.osp.opera.software/v1/binary/B	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442550747.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	false
https://download.opera.com/-sub.osp.opera.software/y	zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2388431790.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, zKY9gVt7bugdAVV29pfHDO1J.exe, 0000001D.00000003.2379585399.00000000010C0000.00000004.00000020.00020000.00000000.sdmp	false
https://www.opera.com..	UPwYHcUA3TbsX6l2qc9SZcBH.exe, 00000013.00000002.2409921940.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2441856398.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000002.2423332113.0000000000225000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000D25000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.0000000000275000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.0000000000115000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.00000000000A5000.00000040.00000001.01000000.0000002C.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, 0000002B.00000002.2436482211.0000000000275000.00000040.00000001.01000000.00000029.sdmp	false
http://185.172.128.187/T	vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000003.1920722672.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, vkIsjAzkgrOzUK7uj2IHc9JM.exe, 0000000A.00000002.1999621262.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false
http://185.172.128.145/15f649199f40275b/softokn3.dlld	syncUpd.exe, 0000000F.00000002.2877720615.0000000000886000.00000004.00000020.00020000.00000000.sdmp	false
https://legal.opera.com/privacy.	UPwYHcUA3TbsX6l2qc9SZcBH.exe, UPwYHcUA3TbsX6l2qc9SZcBH.exe, 0000001F.00000001.2097354505.00000000001FA000.00000040.00000001.01000000.0000001A.sdmp, Rfsq67IamA4rPpnX6LHMDFkm.exe, Rfsq67IamA4rPpnX6LHMDFkm.exe, 00000020.00000002.2457163152.0000000000CFA000.00000040.00000001.01000000.00000018.sdmp, j1XOgROBJfvz0cRzU7rPw7NS.exe, j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2412165528.000000000024A000.00000040.00000001.01000000.00000029.sdmp, 2n6aZsnLKtKXJNMzWvG8Ou1L.exe, 00000023.00000002.2420796165.00000000000EA000.00000040.00000001.01000000.00000028.sdmp, rMuSSyE2z14xNxfrVLVv1kvs.exe, 00000029.00000001.2215014339.000000000007A000.00000040.00000001.01000000.0000002C.sdmp	false
https://autoupdate.geo.opera.com/geolocation/4	Rfsq67IamA4rPpnX6LHMDFkm.exe, 0000001B.00000002.2442550747.00000000015B8000.00000004.00000020.00020000.00000000.sdmp	false
http://invalidlog.txtlookup	f2CDTsUNlMadewChtQe3a8Da.exe, 00000017.00000003.2076235587.0000000003690000.00000004.00001000.00020000.00000000.sdmp, VF98zhY4QVhDxJpNtAE2TU6d.exe, 00000026.00000001.2270329448.0000000000400000.00000040.00000001.01000000.0000002A.sdmp	false
https://download.opera.com/	j1XOgROBJfvz0cRzU7rPw7NS.exe, 00000022.00000002.2414111474.0000000000F77000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
93.171.243.253	unknown	Czech Republic	8870	OVDC-ASUA	false
212.110.188.202	unknown	United Kingdom	35425	BYTEMARK-ASGB	false
24.230.33.96	unknown	United States	11232	MIDCO-NETUS	false
64.157.16.43	unknown	United States	3064	AFFINITY-FTLUS	false
50.169.37.50	unknown	United States	7922	COMCAST-7922US	false
182.160.100.156	unknown	Bangladesh	24323	AAMRA-NETWORKS-AS-APaamranetworkslimitedBD	false
103.216.51.36	unknown	Cambodia	135375	TCC-AS-APTodayCommunicationCoLtdKH	false
78.90.252.7	unknown	Bulgaria	20911	NETSURF-AS-BG	false
182.253.172.111	unknown	Indonesia	17451	BIZNET-AS-APBIZNETNETWORKSID	false
51.15.139.15	unknown	France	12876	OnlineSASFR	false
181.78.11.217	unknown	Argentina	52468	UFINETPANAMASAPA	false
194.44.177.225	unknown	Ukraine	3255	UARNET-ASUARNetUA	false
89.168.121.175	unknown	United Kingdom	9105	TISCALI-UKTalkTalkCommunicationsLimitedGB	false
181.78.11.218	unknown	Argentina	52468	UFINETPANAMASAPA	false
85.113.47.102	unknown	Russian Federation	34533	ESAMARA-ASRU	false
85.237.62.189	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
41.155.190.214	unknown	Egypt	37069	MOBINILEG	false
13.234.24.116	unknown	United States	16509	AMAZON-02US	false
139.255.193.243	unknown	Indonesia	9905	LINKNET-ID-APLinknetASNID	false
159.65.0.189	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
103.81.196.125	unknown	Bangladesh	55492	DFN-BDDhakaFiberNetLimitedBD	false
180.178.104.110	unknown	Indonesia	38758	HYPERNET-AS-IDPTHIPERNETINDODATAID	false
31.43.63.70	unknown	Ukraine	50581	UTGUA	false
103.74.229.133	unknown	Bangladesh	131340	TAQWAIT-AS-APMdMozammelHoquetaTaqwaITBD	false
52.35.240.119	unknown	United States	16509	AMAZON-02US	false
45.172.177.253	unknown	Argentina	267791	INTERMEDIABUSINESSSOLUTIONSSRLAR	false
68.183.17.152	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
119.15.89.87	unknown	Cambodia	24492	IIT-WICAM-AS-APWiCAMCorporationLtdKH	false
103.25.210.102	unknown	Indonesia	132653	B-LINK-AS-IDPTTransdataSejahteraID	false
221.194.149.8	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
101.51.121.29	unknown	Thailand	23969	TOT-NETTOTPublicCompanyLimitedTH	false
146.19.106.42	unknown	France	7726	FITC-ASUS	false
51.81.89.146	unknown	United States	16276	OVHFR	false
114.129.2.82	unknown	Japan	7671	MCNETNTTSmartConnectCorporationJP	false
46.17.63.166	unknown	United Kingdom	39326	HSO-GROUPGB	false
51.79.248.215	unknown	Canada	16276	OVHFR	false
103.216.50.143	unknown	Cambodia	135375	TCC-AS-APTodayCommunicationCoLtdKH	false
62.171.131.101	unknown	United Kingdom	51167	CONTABODE	false
103.220.205.162	unknown	Bangladesh	59362	KSNETWORK-AS-APKSNetworkLimitedBD	false
103.47.93.250	unknown	India	9830	SWIFTONLINE-AS-APSWIFTONLINEBORDERASIN	false
183.164.254.8	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
194.9.80.1	unknown	unknown	206495	IR-SADRA-20180529IR	false
212.110.188.222	unknown	United Kingdom	35425	BYTEMARK-ASGB	false
103.47.93.248	unknown	India	9830	SWIFTONLINE-AS-APSWIFTONLINEBORDERASIN	false
201.163.73.93	unknown	Mexico	11172	AlestraSdeRLdeCVMX	false
202.162.105.202	unknown	Singapore	64050	BCPL-SGBGPNETGlobalASNSG	false
67.205.177.122	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
212.110.188.220	unknown	United Kingdom	35425	BYTEMARK-ASGB	false
94.182.26.44	unknown	Iran (ISLAMIC Republic Of)	31549	RASANAIR	false
50.233.240.87	unknown	United States	7922	COMCAST-7922US	false
38.253.88.242	unknown	United States	174	COGENT-174US	false
172.67.200.220	unknown	United States	13335	CLOUDFLARENETUS	false
13.59.156.167	unknown	United States	16509	AMAZON-02US	false
38.242.199.111	unknown	United States	36336	NATIXISUS	false
74.103.66.15	unknown	United States	701	UUNETUS	false
91.185.84.228	unknown	Russian Federation	49816	CMST-VOLGA-SIMBIRSKASRU	false
175.101.15.41	unknown	India	17754	EXCELL-ASExcellmediaIN	false
219.73.88.167	unknown	Hong Kong	4760	HKTIMS-APHKTLimitedHK	false
212.110.188.216	unknown	United Kingdom	35425	BYTEMARK-ASGB	false
212.110.188.211	unknown	United Kingdom	35425	BYTEMARK-ASGB	false
103.47.93.236	unknown	India	9830	SWIFTONLINE-AS-APSWIFTONLINEBORDERASIN	false
128.199.104.93	unknown	United Kingdom	14061	DIGITALOCEAN-ASNUS	false
212.110.188.213	unknown	United Kingdom	35425	BYTEMARK-ASGB	false
183.215.23.242	unknown	China	56047	CMNET-HUNAN-APChinaMobilecommunicationscorporationCN	false
35.207.123.94	unknown	United States	19527	GOOGLE-2US	false
103.189.96.98	unknown	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
162.144.32.209	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
45.249.79.190	unknown	India	18229	CTRLS-AS-INCtrlSDatacentersLtdIN	false
102.132.55.250	unknown	South Africa	327996	ACCELERITZA	false
148.72.23.56	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	false
188.40.44.95	unknown	Germany	24940	HETZNER-ASDE	false
188.163.170.130	unknown	Ukraine	15895	KSNET-ASUA	false
186.190.225.152	unknown	Colombia	262186	TVAZTECASUCURSALCOLOMBIACO	false
81.250.223.126	unknown	France	3215	FranceTelecom-OrangeFR	false
218.252.244.126	unknown	Hong Kong	9908	HKCABLE2-HK-APHKCableTVLtdHK	false
89.165.40.8	unknown	Iran (ISLAMIC Republic Of)	39501	NGSASIR	false
47.236.56.214	unknown	United States	20115	CHARTER-20115US	false
212.110.188.204	unknown	United Kingdom	35425	BYTEMARK-ASGB	false
191.101.1.116	unknown	Chile	61317	ASDETUKhttpwwwheficedcomGB	false
94.131.14.66	unknown	Ukraine	29632	NASSIST-ASGI	false
92.119.74.249	unknown	Slovenia	205715	AS-FITELNETWORKES	false
212.110.188.207	unknown	United Kingdom	35425	BYTEMARK-ASGB	false
1.55.241.4	unknown	Viet Nam	18403	FPT-AS-APTheCorporationforFinancingPromotingTechnolo	false
23.111.102.153	unknown	Russian Federation	7979	SERVERS-COMUS	false
103.47.93.223	unknown	India	9830	SWIFTONLINE-AS-APSWIFTONLINEBORDERASIN	false
113.74.26.114	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
104.17.9.114	unknown	United States	13335	CLOUDFLARENETUS	false
45.235.16.121	unknown	Brazil	267406	AGOBrasilInternetLtdaBR	false
168.227.11.135	unknown	Brazil	28201	CompanhiaItabiranaTelecomunicacoesLtdaBR	false
5.161.144.46	unknown	Germany	24940	HETZNER-ASDE	false
200.174.198.95	unknown	Brazil	4230	CLAROSABR	false
183.88.122.200	unknown	Thailand	45758	TRIPLETNET-AS-APTripleTInternetTripleTBroadbandTH	false
45.71.15.136	unknown	Brazil	267595	MILANINNETBR	false
180.104.0.161	unknown	China	137702	CHINATELECOM-JIANGSU-NANJING-IDCNanjingJiangsuProvince	false
124.106.228.30	unknown	Philippines	9299	IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH	false
104.236.0.129	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
110.77.236.112	unknown	Thailand	131090	CAT-IDC-4BYTENET-AS-APCATTELECOMPublicCompanyLtdCATT	false
103.47.93.218	unknown	India	9830	SWIFTONLINE-AS-APSWIFTONLINEBORDERASIN	false
54.67.125.45	unknown	United States	16509	AMAZON-02US	false
14.232.235.13	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1407471
Start date and time:	2024-03-12 12:03:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3SqWYf8qFi.exe renamed because original name is a hash value
Original Sample Name:	27b3e45a81641d0e7d0dea29938774ae.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@132/420@0/100
EGA Information:	Successful, ratio: 42.9%
HCA Information:	Successful, ratio: 75% Number of executed functions: 131 Number of non-executed functions: 155
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, WerFault.exe, SIHClient.exe, conhost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
11:04:15	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0J09ro90wH7cLZwlpWjZz8T8.bat
11:04:32	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8RikxgyHSlngyCNkLljOoIea.bat
11:04:49	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CjdCWP2sC37ZrV3R6LwCpexO.bat
11:05:01	Task Scheduler	Run new task: MalayamaraUpdate path: "C:\Users\user\AppData\Local\Temp\Updater.exe"
11:05:03	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ghLXR4xqE410iKbU3cBOmlGw.bat
11:05:13	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MCYmcBRyIU8ux2QHjbZuxfqz.bat
11:05:22	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mVUYVq6R7ZMOQMgpxdxZp1O4.bat
11:05:26	Task Scheduler	Run new task: Opera scheduled Autoupdate 1710241523 path: C:\Users\user\AppData\Local\Programs\Opera\autoupdate\opera_autoupdate.exe s>--scheduledtask --bypasslauncher $(Arg0)
11:05:46	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nkgJlCpXnklvIZptbofXvweb.bat
11:06:06	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vVJWHdlOpVUJxV1xztDPHUw.bat
11:06:24	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0WOLhTTA42JINQ9Omh8xrRDx.bat
12:03:55	API Interceptor	95x Sleep call for process: 3SqWYf8qFi.exe modified
12:04:12	API Interceptor	500x Sleep call for process: CasPol.exe modified
12:04:12	API Interceptor	31x Sleep call for process: powershell.exe modified
12:04:40	API Interceptor	3x Sleep call for process: F3bLUEvvHahM06jSZWbJPDdX.exe modified
12:04:40	API Interceptor	3x Sleep call for process: jpm6qF5Qiq3f7hmREIabTmaO.exe modified
12:04:58	API Interceptor	3x Sleep call for process: dC7amCutZVjsSWxQ9FIlZYqw.exe modified
12:04:59	API Interceptor	2x Sleep call for process: f2CDTsUNlMadewChtQe3a8Da.exe modified
12:04:59	API Interceptor	2x Sleep call for process: wQ9dgKtBZDeIUddSVpW8BvEm.exe modified
12:05:00	API Interceptor	2x Sleep call for process: rfKusEcfqkKKVyx19jVITYlO.exe modified
12:05:04	API Interceptor	2x Sleep call for process: dZhcoTSgym1JGRiEQOUqAdeo.exe modified
12:05:04	API Interceptor	2x Sleep call for process: VF98zhY4QVhDxJpNtAE2TU6d.exe modified
12:05:04	API Interceptor	2x Sleep call for process: VySSnHhKNg09wrV9qkpgKtg9.exe modified

Process:	C:\Users\user\AppData\Local\Temp\syncUpd.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690067217069288
Encrypted:	false
SSDEEP:	12:wSQanHEC73FqjThUbJwuUn5qPyd2whRZfZOaH5KrqXzJI/y5bjbVMmRYAPL8fx7T:wHu73FWhUNwzqq2OfX82JdHRNPLcxdl
MD5:	4E32787C3D6F915D3CB360878174E142
SHA1:	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47
SHA-256:	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
SHA-512:	CEC75D7CCFA70705732826C202D144A8AC913E7FCFE0D9B54F6A0D1EEC3253B6DEFFB91E551586DA15F56BA4DE8030AC23EE28B16BB80D1C5F1CB6BECF9C21BE
Malicious:	false
Reputation:	unknown
Preview:	AIXACVYBSBCZDJMZUDVNECMFSGJSAOAIXCJFDPHQJVUANUFFPQXVYJRUGYPJGKEJNXCBTXARAETAKFTJKVLIZEXLMOAPVEZRZZUIRDUKSPZRBPINNEKLCLXBHFZMBRJTUJZTRCGQGFRQCEVPUBAAPBHBTYYHDJZHHPMFAKXVJPQRQCRUFYPMNUCRRQOYXYEHXQEHWHFLZSBMLRRZFLLYUQLADTKEDXVDLKLPZTTCNAXMXPSTCHQKWMSRPNRZGULFHOTUOYUSIVJEHUYPRYGESSFFMBWDPFRMTVBZEHTJSPRMDJISAZPMEWNGPGIXXTDNHCOBSXAWEFWRZNECKZGORELWMEPSAPLSTZZPUKXURSKTFSUSFEZMXMAIMRJZNGCVKLOHPVMZEIXIISXVMQHQTSADYWZQSWYVJHHONOOSZPQVWIUFMVXBXYCJOMERCQSVXERFAOOENLKARQGTECAIXOXEZPFDFJHYFCKLADMCWYOMCITRHMECVVVNPNTSRXYGYRKZUTOFNBMHDZWYHPYLTWEIGWOIGBTHWYGIXBCUDYMZMTZNYQMZLMXKPNFZDUEXXQLFJZZZVOPBEZKTKTJCTNUPRCNNGCPTIHKPTGBJLGUENNUGTZVMZJGQGUVBRLOJZECBLINEKGSIRFWZPWMVYJNEPWGYIAHKMJRBZMRVIBPONMHBDQZYFBHDDMYBZZAFEPAQFFUPIGGYNSPVXUWNNCWAUZXAGCATPNHNNYICDCRMTKRODUCDDFZKHLISLVOIFZPDTOSIEREFHYEWUBJKJRWXMZUGCPUXCPEXUQPWTSKEYSDPEICDQMMKUKJLDNQEHQQCYKRMWOUSJVTVSZJTFZCDVNUMEIZFWDNWCNCSCHBYNKRUSXPVMRIHGXDUPKXMZUIELSRXMZAEUNCCYZTEYLUYYRNSFUTHFESJOLGKJVGGNVJKSFSETAIHYOMLBOPRYAHSCATJUXNTWVZPEMECBVVHKHDELQRTQBEBXPJJ

Process:	C:\Users\user\Desktop\3SqWYf8qFi.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69211 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69211
Entropy (8bit):	7.995787876711886
Encrypted:	true
SSDEEP:	1536:4vHkVfDISE//aDY0WAXTF+0daIpyFQaqPZkatNjgkFOE4/JZZWnEn6:4vHKfMSeKFXdBcmnXkksE40E6
MD5:	753DF6889FD7410A2E9FE333DA83A429
SHA1:	3C425F16E8267186061DD48AC1C77C122962456E
SHA-256:	B42DC237E44CBC9A43400E7D3F9CBD406DBDEFD62BFE87328F8663897D69DF78
SHA-512:	9D56F79410AD0CF852C74C3EF9454E7AE86E80BDD6FF67773994B48CCAC71142BCF5C90635DA6A056E1406E81E64674DB9584928E867C55B77B59E2851CF6444
Malicious:	false
Reputation:	unknown
Preview:	MSCF....[.......,...................I..................WR. .authroot.stl..L...5..CK..<Tk...p.k:.]...k..-.o.d.}.N.F....!.....$t)K."..DE.....v..gr...}?>.<.s..<...{.t..\F.e.F...8&.<..>...t8....`dqM4.y..t8..t..3..1.`\.:+.<].F...3.~.M.B.....J....PR.+..UUUV.GY...8...._vl.....H}.s.Pq..r.<.0.lG.C..e(..oe........9..'8..m.......G8T......sR..&=.J....s.U......#...).j...x.....gq.+.N:.Wj...V.t...(J.;^..Mr~e..}.q....q....eo..O.....@.B.S.....66.\|!.(.........D!k..&.. /.....H~.....}.(..\|.S..~8..A..(.#..w.Y.....'.F...y&.8......f..49r..N...(zX.0;.....000.3c)Z.v.5N'.z...rNFw,E.NY..#ua.o.$..Y?.-.=....}d...]......x_<.W....ya.3.a..SQT.U..\|!.pyCA..-h..Y..>n......^.U.....H...EY.\.......}.-(....h..=xiV.O.W@p.=.r.i..c...c....S.x.;..GWf...=.:.....S.c/..v..3.iG<.&..%...8..=}.....+.n\?0"A.Y%<......+..O. .9..#..>.....5.2.j.1<.Z.>v..j...wr.i.:....!...;.N[.q..z9j..l.R.&,....$.V...k.j..Tc..m..D!%....".Y.#V."w.\|....L\| ..p........w.=..ck...<........{s..w..};../.=...k....YH.

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	2146714
Entropy (8bit):	7.981933831324803
Encrypted:	false
SSDEEP:	49152:LCani5uuCsnFsOVBPivSHGhkSmGqV9vqQiOK57WH7XCc:26i5uu3qOnPi8Gh3REvqQiOK+Lb
MD5:	AF528677E66608860208878377380FD9
SHA1:	0414F65A08126C60AB802933D47DE0F44487CFB0
SHA-256:	F31521168BA53BF2CFAA451586A8115500E52C948787E5E112F4C8FBD350B474
SHA-512:	4771C7606046EF28DDB960463728B27B4C518FE9879A52856A6D4C89BF3EF9E534A9AD14F820247242EFA610575F6CF570D9F3C12D778F804879129181029126
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... W............................uC............@........................................... .................................\|........J...........................................................................................................text...$........................... .0`.data...............................@.`..rdata..8j.......l..................@.`@.bss......... ........................`..idata..\|...........................@.0..ndata..............................@.`..rsrc....J.......L..................@.0.........................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Reputation:	unknown
Preview:	0

Process:	C:\Users\user\Pictures\rMuSSyE2z14xNxfrVLVv1kvs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	60341248
Entropy (8bit):	7.9999847430357836
Encrypted:	true
SSDEEP:	1572864:PQlb1K2VRNro3znhnh15oy4WHfGVu9tNn8XGGub0mHmQM:4lp1Rxozhh74YfT7MGdZS
MD5:	899BFC77D3084FEE474EB6D12AD09980
SHA1:	52B13F0DD078DFBC6F989EBA1355240B2A6DE004
SHA-256:	FB9C038C94050817310EBDAD7D9349630FB4E4474AAB23516090A85D30EADCC7
SHA-512:	FE860B5397F8DEC9532D7CE7BDCD6206D5FAA0F97FBF0A6EAA16F5BCBFB86DF0D97E2DB4F5934A41EBD4BE5DB41C9C1E492E27D7B19FD79CCA572A81589BE3EF
Malicious:	true
Reputation:	unknown
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@..........................................................................b...........................)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.\|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J\|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...\|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.\|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.\|..6....

Process:	C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64869376
Entropy (8bit):	7.9999865343961005
Encrypted:	true
SSDEEP:	1572864:PQlb1K2VRNro3znhnh15oy4WHfGVu9tNn8XGGub0mHmQ8hop:4lp1Rxozhh74YfT7MGdZr
MD5:	D4B17A451511DF665A8007BDABC8081B
SHA1:	F04076C52E65E8195DFCE7D8CBEC06469BB0EE4F
SHA-256:	2FE939A5E8A9B8CA1B001C79A45C89F00761E65F24369853F0CADD59278237C1
SHA-512:	661C6C4BC073ADF704B11E4F5105CB7FC5B312F4BD19EC13CD81FAC5CDAD31EAD6CEEDE7DE78AC57DB645EB2BE6782FEC40CB314937020B66CF0AE1348D51E78
Malicious:	true
Reputation:	unknown
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@..........................................................................b...........................)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.\|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J\|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...\|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.\|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.\|..6....

Process:	C:\Users\user\Pictures\j1XOgROBJfvz0cRzU7rPw7NS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15360
Entropy (8bit):	6.41359178857374
Encrypted:	false
SSDEEP:	384:HcuogPGiR1HUv+PcmfbDJMtcodq1v98sFD6tqLIo:HcuLPx/MICtcGqZTGtxo
MD5:	2F84B47F2146465C02A7B609F1D43A60
SHA1:	163090A9EB9FC7744C876114419708F549E84A38
SHA-256:	317639883C5D14108E5AC6245AFF5E5FCACA15D23A1FF6174AB8073A3B0DCA79
SHA-512:	3B8FC136658E5DFEB2FAD2D2B907B4091390E0DD6C3FEDB414F6CBC08E1007B34BBE29E247F6A4E44D8803D32BBCC6A3306E770090E4E365D2F18CB78229C63A
Malicious:	true
Reputation:	unknown
Preview:	MZ`.....................@...................................`...........!..L.!Require Windows..$PE..L...'..P.................(...F.......-.......@....@..........................................................................b...........................)...........................................................@..d............................text....&.......(.................. ..`.rdata...5...@...6...*..............@..@.data....)...........`..............@....rsrc................h..............@..@........U..`.A.......S3.;.VWt.f9.b.A.t...`.A.P....P.\|..Y.nj'.v....u..v..=.BA..6P......P....9^..].v8.^..3......hhDA.P..........P......P..pAA..E..E....;F.r......P.J\|..Y.24..j...lAA...t$..D....3.9.H.A.t...@....9D$.t..t$.Ph.....5@.A....BA.3.....D$..`...\|$..u..@.....3.....t$..D$..t$...`.A......t$...P.Q..%`.A...D$...V...t...P.Q...^...VW.\|$.....t...W.P.....t...P.Q..>.._^....T$..L$....f..AABBf..u..L$.3.f9.t.@f.<A.u..S.\$.V..C;^.tLW3.j.Z...........Q.......3.9F.Y~.9F.~...f..Af..G@;F.\|..6....

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	19253
Entropy (8bit):	5.005213177851637
Encrypted:	false
SSDEEP:	384:JVib49PVoGIpN6KQkj2kkjh4iUxGhQw4h3OdB0NXp528vOjJwYo8YKib4o:JFPV3IpNBQkj2Nh4iUxGhl4h3OdB0NZf
MD5:	83CC0A063AE0CE6A770449E01B262D4C
SHA1:	C7CE3B64EDC6EE028A45E627CF26BF4FD53B71A1
SHA-256:	A9AEE05DF0FDCBF68D93BCDD148D152AA05DC301F6C7DA4E450C8D38AAF195AA
SHA-512:	BF95B77DBCDF81F4DE6D9D4CBCFDC286129CD413BE5C4196E22D9CDC8807FB9BC58C3F3F779157A85C9301EC4AC0EE12BB9E34F8B75AA6ED0C55DD80374D37A2
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

Process:	C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	2960760
Entropy (8bit):	7.768476822870185
Encrypted:	false
SSDEEP:	49152:snSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHa:/WqlkLESgCRE/vhOjb05efd6e/oXHa
MD5:	3C982E3594F2F49BE9CB21C88EDA12D6
SHA1:	11E9A1EA3A396FF4C8E988AD18547BC32271BA8F
SHA-256:	1D9260EEC107FE58C47C5EC70F99C91739FBA13EC8C90C92D432BDCA6796C381
SHA-512:	14916A03F1D9229EBD91FF2E08788880100139DA3BCB9FD2601EF800F9A156A58E2DA5E27CE8A0CCE1FB39DC836DC4803B6ED8EB9E6FD8D9D98F4B046F5855F5
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.....).-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

Process:	C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	2960760
Entropy (8bit):	7.7684771284236795
Encrypted:	false
SSDEEP:	49152:5nSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXHx:AWqlkLESgCRE/vhOjb05efd6e/oXHx
MD5:	9BFF769347ADF4195895A2AA8C977EFF
SHA1:	6FFFA44F2676944F8EF58FB5CFD95BFEA01C881E
SHA-256:	08C8D1F053816719D8F03C23C2FDB3AB6D6DBE21DCB17B513F109DAEE3FA8EA3
SHA-512:	70A39EE9C5A37F891EA01618DC3E3ACF1A78E73B7619FE75A275532A43946E834420EC7BC41B77626853918075865C8BC06B7FEC2FD81B5E54C506A59E6D1E8F
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S......+....@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

Process:	C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	2960760
Entropy (8bit):	7.768476278129193
Encrypted:	false
SSDEEP:	49152:lnSiPqYQwkkSJiNlwsmSgBmfPl/nJ8UE/JjhhOjbLI/xsAePXdcTC3v3oBXH0:8WqlkLESgCRE/vhOjb05efd6e/oXH0
MD5:	968B869AA841B0C675BF2C61DFEAA509
SHA1:	78DB97489F21B53BC7F580F107BD2D1B19D70864
SHA-256:	2249D665BDE0C3FB63E2D24EECA3FFC57DDC4E11C108BE6D23BCE4648B2241EC
SHA-512:	87C005BB51AA85B2C289271F925FDC0B7D02B06670A31C6B699956880F1B925E28333C9B9975B564B44C6C3C65E504269143A2874C38CD000ABEC0A75A2D5EEA
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e..........".......,......`&. .R..p&...R...@...........................S.......-...@..................................pS.......R..............-.x+...qS...............................R.......R.............................................UPX0.....`&.............................UPX1......,..p&..~,.................@....rsrc.........R.......,.............@...4.22.UPX!......^..\l.R..z,..VR.&..xa.!.U..]....U..1.]........SWV.....E.`..@....@.......@d.....d....}...........M.1..U..A.M.).).9..L.M.4.....9.r.9.wx.u..t.SPQ...;..U.....B.......B..M...;}.}<.M...Z.9.r........X$.E...........,......t.....`..A1.CL.1..E....F......w.s..^_[]...>..h......C.......M......U........[......WV....x ..m.u.....1.H^_].F..H..N......5.@8.n??M.@.n..P..@.G~...}..O.<..G.)...p..9.r....9.....pI.SQR.....;.....L}..W......w....;E.}H.._.9.r..E.....E....{..X0.T........u.W.F.E.@...

Process:	C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\rMuSSyE2z14xNxfrVLVv1kvs.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4852640
Entropy (8bit):	6.878125903025885
Encrypted:	false
SSDEEP:	98304:g6666666666666666666666666666666x666666666666666fwwwwwwwwwwwwwwC:lfKo30lSzTXr4dHUkrPwh/X5zWilPD5N
MD5:	FDEB4D1D95A738BA8882988A97A12D32
SHA1:	42DD25CAE583521AA96A02B5135BBA6FDE9AC3FB
SHA-256:	1C52520C6D2398A266245A1D29FCF5B58FF7BB8F7ECF8868898BAB7BCAD37D6E
SHA-512:	4CB87510D4612A36C83543CA58A17469AA8AAEE569481C121D2D70A7923D7174EFBDCEDE18342F49BB26AA0BBCD44B58630697EF54986AA5EFBF2B3920EF33CF
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...)..e.........."!.....`3..z......@.'.......................................K.....8.J...@A.........................];.m....];.......=..4............I..)....I.p.....;.....................0.;......x3..............h;.4...<\;.`....................text...._3......`3................. ..`.rdata...[...p3..\...d3.............@..@.data.........;..@....;.............@....rodata......p=.......<............. ..`.tls....].....=.......<.............@...CPADinfo0.....=.......<.............@...malloc_h......=.......<............. ..`.rsrc....4....=..6....<.............@..@.reloc..p.....I......>H.............@..B................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\BroomSetup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	4.806068215477973
Encrypted:	false
SSDEEP:	3:HFUuvaOpLKBchEXEtTC5WAut+kiE2J5xAIEyrKBySKFS3:Ogas7SXEFAuwkn23faKS3
MD5:	43A95207D30C95F513309A882D511D25
SHA1:	B5088D2A0F8BDEBFCABCB194362AB59D20014F29
SHA-256:	DDA9B22F2D2D9CFF7036DEEBDDE40E7CDB62F2587DFC304FE32EF9BFA974DFB6
SHA-512:	52BDAA18A5883343C56F33FC631D2E63B2D30730C482D8278FFA9C8CD9E6469DC88BB32DFDF16118E279D6DC715C92D8DBF534A4D8698195CD14DFD7BC7034ED
Malicious:	false
Reputation:	unknown
Preview:	chcp 1251.. schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F..

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.19067578612513
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	3SqWYf8qFi.exe
File size:	46'816 bytes
MD5:	27b3e45a81641d0e7d0dea29938774ae
SHA1:	b169677b0772e523a49aee97a0d5aca89ade3068
SHA256:	ab7237aba6c89c09aeaf5111575614041aafc280f2461f3e669195ce6943e4e1
SHA512:	27287844bd394e834f7832cfa236fcc7c8f52035ead0226a5108adb5e349cb3bd505e2aa39c83100ce09e12f46a78bea4e43cbd93feeae8a761cda36e96c16c6
SSDEEP:	768:l9KG4oE3utrXgye+k9l2eeicYSFQLq34pUr2SIO8BC45SNUgRaCEFiRvk:7KG4p3utzgH195eicDFSqopUiJArNNRG
TLSH:	2F238E7177BC823BCEAF0AB4646152000374D362AE42CFBD2DD9A1DE58977C503623AB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...I.B..........."...0.....&............ ....@...... ..............................J.....`................................

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xAF428149 [Tue Mar 6 01:47:53 2063 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Signature Valid:	false
Signature Issuer:	C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	12/03/2024 08:58:25 12/03/2025 08:58:25
Subject Chain	C=US, S=Washington, L=Redmond, OU=Microsoft Corporation, O=Microsoft Corporation, CN=Microsoft Code Signing PCA 2011
Version:	3
Thumbprint MD5:	6F7B463152C74EE5B9FB9EE710D533C8
Thumbprint SHA-1:	9CFF85D86FB9513952E088C0625A3477DBA8BE71
Thumbprint SHA-256:	78DC0E6A3749E01CE1C5413DBB350ED48221D96B0C331BF732A985E74E5DE6C0
Serial:	2D12E4E96E80CFDC437AFF543B3B77AA

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x626	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9e00	0x18e0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb310	0x38	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x93e6	0x9400	15161743413fd589518921a9c7eba0c6	False	0.5047508445945946	data	5.9614551171159205	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x626	0x800	7ccd95491660fbda3924dbe08f84df33	False	0.32421875	data	3.4778778318304995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xc0a0	0x39c	data			0.38852813852813856
RT_MANIFEST	0xc43c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Target ID:	0
Start time:	12:03:52
Start date:	12/03/2024
Path:	C:\Users\user\Desktop\3SqWYf8qFi.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\3SqWYf8qFi.exe
Imagebase:	0x28b2b930000
File size:	46'816 bytes
MD5 hash:	27B3E45A81641D0E7D0DEA29938774AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	12:04:10
Start date:	12/03/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3SqWYf8qFi.exe" -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3SqWYf8qFi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AIXACVYBSB.docx

C:\ProgramData\BAEBFIIE

C:\ProgramData\BPMLNOBVSB.docx

C:\ProgramData\BPMLNOBVSB.xlsx

C:\ProgramData\BXAJUJAOEO.xlsx

C:\ProgramData\DTBZGIOOSO.docx

C:\ProgramData\DTBZGIOOSO.xlsx

Windows Analysis Report
3SqWYf8qFi.exe

Target ID:	9
Start time:	12:04:11
Start date:	12/03/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6908 -s 56832
Imagebase:	0x7ff76e1b0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	10
Start time:	12:04:14
Start date:	12/03/2024
Path:	C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\vkIsjAzkgrOzUK7uj2IHc9JM.exe"
Imagebase:	0x400000
File size:	2'146'714 bytes
MD5 hash:	AF528677E66608860208878377380FD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	11
Start time:	12:04:15
Start date:	12/03/2024
Path:	C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\F3bLUEvvHahM06jSZWbJPDdX.exe"
Imagebase:	0x400000
File size:	4'283'784 bytes
MD5 hash:	5F2CE2E258A6EEF93E5E22DCE2717F82
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	15
Start time:	12:04:16
Start date:	12/03/2024
Path:	C:\Users\user\AppData\Local\Temp\syncUpd.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\syncUpd.exe
Imagebase:	0x400000
File size:	204'800 bytes
MD5 hash:	C722591F624FB69970F246B8C81D830F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000003.1947105334.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 0000000F.00000003.1947105334.00000000007B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000002.2876636083.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 0000000F.00000002.2876636083.0000000000400000.00000040.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000002.2877180819.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 0000000F.00000002.2877180819.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000F.00000002.2877180819.00000000006A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000F.00000002.2877662329.0000000000833000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000F.00000002.2877720615.0000000000848000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	19
Start time:	12:04:22
Start date:	12/03/2024
Path:	C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe" --silent --allusers=0
Imagebase:	0x1a0000
File size:	2'960'760 bytes
MD5 hash:	968B869AA841B0C675BF2C61DFEAA509
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	24
Start time:	12:04:24
Start date:	12/03/2024
Path:	C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\VySSnHhKNg09wrV9qkpgKtg9.exe"
Imagebase:	0x400000
File size:	4'283'784 bytes
MD5 hash:	5F2CE2E258A6EEF93E5E22DCE2717F82
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	29
Start time:	12:04:25
Start date:	12/03/2024
Path:	C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\zKY9gVt7bugdAVV29pfHDO1J.exe" --silent --allusers=0
Imagebase:	0x840000
File size:	2'960'760 bytes
MD5 hash:	9D6D8C23FE185D39AA9259B64543248E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	31
Start time:	12:04:29
Start date:	12/03/2024
Path:	C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Pictures\UPwYHcUA3TbsX6l2qc9SZcBH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2f4,0x2f8,0x2fc,0x2d4,0x300,0x6b8021c8,0x6b8021d4,0x6b8021e0
Imagebase:	0x1a0000
File size:	2'960'760 bytes
MD5 hash:	968B869AA841B0C675BF2C61DFEAA509
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	32
Start time:	12:04:32
Start date:	12/03/2024
Path:	C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Pictures\Rfsq67IamA4rPpnX6LHMDFkm.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.24 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x304,0x6bd721c8,0x6bd721d4,0x6bd721e0
Imagebase:	0xca0000
File size:	2'960'760 bytes
MD5 hash:	9BFF769347ADF4195895A2AA8C977EFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	35
Start time:	12:04:33
Start date:	12/03/2024
Path:	C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\2n6aZsnLKtKXJNMzWvG8Ou1L.exe" --silent --allusers=0
Imagebase:	0x90000
File size:	2'960'760 bytes
MD5 hash:	3C982E3594F2F49BE9CB21C88EDA12D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true