Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
W3UokmKK3o.msi

Overview

General Information

Sample name:W3UokmKK3o.msi
renamed because original name is a hash value
Original sample name:c1004b09968d8ff1f0720c5525bca3af281a0f8c71cc0aad73fd9bb0d531ff85.msi
Analysis ID:1565725
MD5:5838e52d76526df907f4ab624800f5c3
SHA1:5f3706aa844df3d269b0ec7ac0029f927c16070c
SHA256:c1004b09968d8ff1f0720c5525bca3af281a0f8c71cc0aad73fd9bb0d531ff85
Tags:bankercontadorperuElonMusKLPeruisocert-secaac-comlatammsiousabantrojanuser-johnk3r
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 3552 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\W3UokmKK3o.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 5440 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 3128 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 2AE652A063EEB462FDD602157B8A2647 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • OperaWebPros.exe (PID: 6104 cmdline: "C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • OperaWebPros.exe (PID: 6384 cmdline: "C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • OperaWebPros.exe (PID: 5644 cmdline: "C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • OperaWebPros.exe (PID: 1216 cmdline: "C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe" MD5: CEEF4762B36067F1D32A0DB621EE967E)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000000.1692325796.0000000000401000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.OperaWebPros.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe, ProcessId: 6104, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OperaWebPros.exe

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\WebUI.dllReversingLabs: Detection: 54%
        Multi AV Scanner detection for submitted file
        Source: W3UokmKK3o.msiReversingLabs: Detection: 34%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.0% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\WebUI.dllJoe Sandbox ML: detected
        Source: unknownHTTPS traffic detected: 195.179.237.110:443 -> 192.168.2.4:49730 version: TLS 1.2
        Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: W3UokmKK3o.msi, 40264d.msi.1.dr, MSI292D.tmp.1.dr, MSI290D.tmp.1.dr, MSI29DB.tmp.1.dr, MSI289F.tmp.1.dr
        Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /contadorperu/ElonMusKLPeru.php HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: isocert-secaac.comConnection: Keep-Alive
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /contadorperu/ElonMusKLPeru.php HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: isocert-secaac.comConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: isocert-secaac.com
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://ocsp.digicert.com0H
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://ocsp.digicert.com0I
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://ocsp.digicert.com0O
        Source: OperaWebPros.exe, 00000003.00000000.1692325796.0000000000401000.00000020.00000001.01000000.00000003.sdmp, OperaWebPros.exe.1.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
        Source: OperaWebPros.exe, 00000003.00000000.1692325796.0000000000401000.00000020.00000001.01000000.00000003.sdmp, OperaWebPros.exe.1.drString found in binary or memory: http://stats.itopvpn.com/iusage.php
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
        Source: OperaWebPros.exe.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
        Source: OperaWebPros.exe, 00000005.00000002.2143103636.0000000068B48000.00000020.00000001.01000000.00000004.sdmp, OperaWebPros.exe, 00000005.00000002.2099868852.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, OperaWebPros.exe, 00000008.00000002.2183433564.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2219704017.00000000025E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2212023553.0000000000727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/
        Source: OperaWebPros.exe, 00000009.00000002.2212023553.0000000000727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/$
        Source: OperaWebPros.exe, 00000009.00000002.2210385293.0000000000190000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php00
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php04
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000857000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2212023553.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php2
        Source: OperaWebPros.exe, 00000009.00000002.2212023553.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php43
        Source: OperaWebPros.exe, 00000005.00000002.2077592296.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php43J
        Source: OperaWebPros.exe, 00000005.00000002.2069955883.0000000000190000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php7
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000847000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2210385293.0000000000190000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php:
        Source: OperaWebPros.exe, 00000005.00000002.2077592296.0000000000877000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000005.00000002.2077592296.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpB
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpC:
        Source: OperaWebPros.exe, 00000009.00000002.2210385293.0000000000190000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpF
        Source: OperaWebPros.exe, 00000005.00000002.2077592296.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpJ
        Source: OperaWebPros.exe, 00000005.00000002.2077592296.0000000000886000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000008.00000002.2175475453.0000000000857000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2212023553.0000000000703000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpKLP
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.00000000007F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpMy
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpQ
        Source: OperaWebPros.exe, 00000005.00000002.2069955883.0000000000190000.00000004.00000010.00020000.00000000.sdmp, OperaWebPros.exe, 00000008.00000002.2173076849.0000000000190000.00000004.00000010.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2212023553.0000000000703000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2210385293.0000000000190000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpR
        Source: OperaWebPros.exe, 00000005.00000002.2069955883.0000000000190000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpRC
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpVn1
        Source: OperaWebPros.exe, 00000005.00000002.2077592296.00000000008C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpX
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2212023553.00000000006E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpZZC:
        Source: OperaWebPros.exe, 00000005.00000002.2077592296.0000000000877000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000005.00000002.2077592296.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php_
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpa
        Source: OperaWebPros.exe, 00000005.00000002.2077592296.0000000000877000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpb
        Source: OperaWebPros.exe, 00000005.00000002.2077592296.0000000000886000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpj
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpp
        Source: OperaWebPros.exe, 00000005.00000002.2077592296.0000000000877000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000005.00000002.2077592296.00000000008C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpt
        Source: OperaWebPros.exe, 00000005.00000002.2077592296.00000000008C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpx
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/e
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/m
        Source: OperaWebPros.exe, 00000009.00000002.2212023553.0000000000727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://isocert-secaac.com/u
        Source: OperaWebPros.exe, 00000005.00000002.2077592296.00000000008C7000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2212023553.0000000000727000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
        Source: OperaWebPros.exe.1.drString found in binary or memory: https://www.digicert.com/CPS0
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
        Source: unknownHTTPS traffic detected: 195.179.237.110:443 -> 192.168.2.4:49730 version: TLS 1.2

        System Summary

        barindex
        PE file contains section with special chars
        Source: WebUI.dll.1.drStatic PE information: section name: .p=T
        Source: WebUI.dll.1.drStatic PE information: section name: .,Bp
        Source: WebUI.dll.1.drStatic PE information: section name: .* [
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C0E99BF NtDelayExecution,9_2_6C0E99BF
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2DF95B NtQueryInformationProcess,9_2_6C2DF95B
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C24AFA7 NtQuerySystemInformation,9_2_6C24AFA7
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\40264d.msiJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI289F.tmpJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI290D.tmpJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI292D.tmpJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI296D.tmpJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI29DB.tmpJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{356E8AF0-E912-4E89-B183-782686754D6E}Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2A59.tmpJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI289F.tmpJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A73503C8_2_6A73503C
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAD37FA8_2_6AAD37FA
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9AC28C8_2_6A9AC28C
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9AFE538_2_6A9AFE53
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9AFE498_2_6A9AFE49
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9AF3028_2_6A9AF302
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9ABF5C8_2_6A9ABF5C
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9AE8BF8_2_6A9AE8BF
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9AF83E8_2_6A9AF83E
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9AC52C8_2_6A9AC52C
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9AE5518_2_6A9AE551
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6B0038118_2_6B003811
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF77308_2_6AAF7730
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF6E838_2_6AAF6E83
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF306D8_2_6AAF306D
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF2A4B8_2_6AAF2A4B
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF41838_2_6AAF4183
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF05C38_2_6AAF05C3
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF3B248_2_6AAF3B24
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF1D0F8_2_6AAF1D0F
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF3F7F8_2_6AAF3F7F
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6B1033168_2_6B103316
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6B0131599_2_6B013159
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6B0139EF9_2_6B0139EF
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6B0144F59_2_6B0144F5
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6A74214D9_2_6A74214D
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6A1A8A3D9_2_6A1A8A3D
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6A1A8A7D9_2_6A1A8A7D
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2DD0169_2_6C2DD016
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2DDC6F9_2_6C2DDC6F
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2DFA959_2_6C2DFA95
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2DC0FB9_2_6C2DC0FB
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2DB92A9_2_6C2DB92A
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2DDD859_2_6C2DDD85
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C24A4AA9_2_6C24A4AA
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2464B49_2_6C2464B4
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2499059_2_6C249905
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C24A7099_2_6C24A709
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2467869_2_6C246786
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2495829_2_6C249582
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2493C79_2_6C2493C7
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C0412299_2_6C041229
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C0454449_2_6C045444
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C04487A9_2_6C04487A
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C04017D9_2_6C04017D
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C0435D99_2_6C0435D9
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C0433FA9_2_6C0433FA
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2D12A99_2_6C2D12A9
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C2D11869_2_6C2D1186
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C24E23D9_2_6C24E23D
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C24DA1D9_2_6C24DA1D
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C24D1579_2_6C24D157
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C24F6B99_2_6C24F6B9
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C24EC9D9_2_6C24EC9D
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C24D3F79_2_6C24D3F7
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
        Source: WebUI.dll.1.drStatic PE information: Number of sections : 13 > 10
        Source: W3UokmKK3o.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs W3UokmKK3o.msi
        Source: classification engineClassification label: mal76.evad.winMSI@9/26@1/1
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML2A83.tmpJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMutant created: NULL
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$18f0
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMutant created: \Sessions\1\BaseNamedObjects\gg24UGs6BG
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$17d8
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$4c0
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$160c
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFF5563F742D086EF9.TMPJump to behavior
        Source: Yara matchFile source: 3.0.OperaWebPros.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.1692325796.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe, type: DROPPED
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: W3UokmKK3o.msiReversingLabs: Detection: 34%
        Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\W3UokmKK3o.msi"
        Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2AE652A063EEB462FDD602157B8A2647
        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe "C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe"
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe "C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe"
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe "C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe"
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe "C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe"
        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 2AE652A063EEB462FDD602157B8A2647Jump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe "C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe"Jump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wsock32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: webui.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: magnification.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: d3d9.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: security.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: olepro32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dataexchange.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: idndl.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: msiso.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: mshtml.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: srpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: mlang.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wsock32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: webui.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: magnification.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: d3d9.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: security.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: olepro32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dataexchange.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: idndl.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: msiso.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: mshtml.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wsock32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: webui.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: magnification.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: d3d9.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: security.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: olepro32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dataexchange.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: idndl.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: msiso.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: mshtml.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wsock32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: webui.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: magnification.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: d3d9.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: security.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: olepro32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ieframe.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dataexchange.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: d3d11.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dcomp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: idndl.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: msiso.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: mshtml.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: W3UokmKK3o.msiStatic file information: File size 21371904 > 1048576
        Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: W3UokmKK3o.msi, 40264d.msi.1.dr, MSI292D.tmp.1.dr, MSI290D.tmp.1.dr, MSI29DB.tmp.1.dr, MSI289F.tmp.1.dr
        Source: initial sampleStatic PE information: section where entry point is pointing to: .* [
        Source: WebUI.dll.1.drStatic PE information: section name: .didata
        Source: WebUI.dll.1.drStatic PE information: section name: .p=T
        Source: WebUI.dll.1.drStatic PE information: section name: .,Bp
        Source: WebUI.dll.1.drStatic PE information: section name: .* [
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9ABE5B push 00000077h; ret 8_2_6A9ABE77
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9B0BD2 push ecx; iretd 8_2_6A9B0BD8
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9ADC8A pushfd ; iretd 8_2_6A9ADC8B
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9AFCFA push ebp; retf 8_2_6A9AFD28
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9AE45D push 27A60BF7h; iretd 8_2_6A9AE466
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9AAC75 push dword ptr [edx+65h]; ret 8_2_6A9AAC79
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A9B05F0 push 203A82FEh; retf 8_2_6A9B05F5
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6B002A06 push eax; retf 8_2_6B002A23
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6B0034CA push eax; iretd 8_2_6B0034CB
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6B002B63 push cs; ret 8_2_6B002B6C
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF1ABF push dword ptr [ebx]; retf 8_2_6AAF1BAA
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF2E07 push esi; iretd 8_2_6AAF2E08
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF3204 push esp; retf 8_2_6AAF3238
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF4A46 push ebx; retf 8_2_6AAF4A54
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF018E push edx; retf 8_2_6AAF023F
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF6384 push eax; ret 8_2_6AAF6388
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF4DF3 push eax; iretd 8_2_6AAF4DF4
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF5323 push ds; ret 8_2_6AAF5324
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF3703 push edi; retf 8_2_6AAF3704
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_69A0266B push esi; iretd 8_2_69A02673
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A2A7829 push edi; iretd 8_2_6A2A782C
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A2A73CF push es; ret 8_2_6A2A73E7
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A2A799E push esp; iretd 8_2_6A2A79CF
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AFE2B57 push ss; ret 8_2_6AFE2B59
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6B103F3C push ds; retf 8_2_6B103F3F
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6B015343 push eax; iretd 9_2_6B015354
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6B014177 push edx; ret 9_2_6B01417F
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6B015095 push edi; ret 9_2_6B01509E
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6B0123A9 push edi; iretd 9_2_6B0123AD
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6A3A6959 push edi; retf 9_2_6A3A69CB
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6A3A699F push edi; retf 9_2_6A3A69CB
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI290D.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI29DB.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI289F.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\WebUI.dllJump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI292D.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeJump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI296D.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI290D.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI29DB.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI289F.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI292D.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI296D.tmpJump to dropped file
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OperaWebPros.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OperaWebPros.exeJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Overwrites code with unconditional jumps - possibly settings hooks in foreign process
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 650005 value: E9 8B 2F 8B 76 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 76F02F90 value: E9 7A D0 74 89 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 7D0005 value: E9 2B BA 6F 76 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 76ECBA30 value: E9 DA 45 90 89 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 7E0008 value: E9 8B 8E 73 76 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 76F18E90 value: E9 80 71 8C 89 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 800005 value: E9 8B 4D 3F 75 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 75BF4D90 value: E9 7A B2 C0 8A Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 810005 value: E9 EB EB 3F 75 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 75C0EBF0 value: E9 1A 14 C0 8A Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 820005 value: E9 8B 8A 7B 74 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 74FD8A90 value: E9 7A 75 84 8B Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 830005 value: E9 2B 02 7D 74 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 75000230 value: E9 DA FD 82 8B Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6104 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 7B0005 value: E9 8B 2F 75 76 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 76F02F90 value: E9 7A D0 8A 89 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 7D0005 value: E9 2B BA 6F 76 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 76ECBA30 value: E9 DA 45 90 89 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 7E0008 value: E9 8B 8E 73 76 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 76F18E90 value: E9 80 71 8C 89 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 800005 value: E9 8B 4D 3F 75 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 75BF4D90 value: E9 7A B2 C0 8A Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 22C0005 value: E9 EB EB 94 73 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 75C0EBF0 value: E9 1A 14 6B 8C Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 22D0005 value: E9 8B 8A D0 72 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 74FD8A90 value: E9 7A 75 2F 8D Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 22E0005 value: E9 2B 02 D2 72 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 75000230 value: E9 DA FD 2D 8D Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 6384 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 760005 value: E9 8B 2F 7A 76 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 76F02F90 value: E9 7A D0 85 89 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 7D0005 value: E9 2B BA 6F 76 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 76ECBA30 value: E9 DA 45 90 89 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 7E0008 value: E9 8B 8E 73 76 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 76F18E90 value: E9 80 71 8C 89 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 22B0005 value: E9 8B 4D 94 73 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 75BF4D90 value: E9 7A B2 6B 8C Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 22C0005 value: E9 EB EB 94 73 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 75C0EBF0 value: E9 1A 14 6B 8C Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 22D0005 value: E9 8B 8A D0 72 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 74FD8A90 value: E9 7A 75 2F 8D Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 22E0005 value: E9 2B 02 D2 72 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 75000230 value: E9 DA FD 2D 8D Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 5644 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 690005 value: E9 8B 2F 87 76 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 76F02F90 value: E9 7A D0 78 89 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 7B0005 value: E9 2B BA 71 76 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 76ECBA30 value: E9 DA 45 8E 89 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 7C0008 value: E9 8B 8E 75 76 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 76F18E90 value: E9 80 71 8A 89 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 21A0005 value: E9 8B 4D A5 73 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 75BF4D90 value: E9 7A B2 5A 8C Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 21B0005 value: E9 EB EB A5 73 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 75C0EBF0 value: E9 1A 14 5A 8C Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 21C0005 value: E9 8B 8A E1 72 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 74FD8A90 value: E9 7A 75 1E 8D Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 21D0005 value: E9 2B 02 E3 72 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 75000230 value: E9 DA FD 1C 8D Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 4A3E60 value: E9 FB 65 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 4A397C value: E9 FB 68 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 49FCC0 value: E9 0B E7 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 49FCE4 value: E9 6B E7 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 49FCF4 value: E9 FF E8 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory written: PID: 1216 base: 49FCB0 value: E9 B7 EA 06 00 Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Switches to a custom stack to bypass stack traces
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B1E6823
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B23B4FD
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C2D2CAF
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B22E320
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B23E256
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C187ECA
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6BFFD920
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C2C706F
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B208205
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B21B835
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B103423
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C0EF00E
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C1BB9B4
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C11C4BD
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B11EA98
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C15EB4F
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C28DC02
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C27F274
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B1F56E3
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B3F01E5
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C2E1E50
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C32E389
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B0DB376
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C18009C
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C3416FC
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B242716
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B276399
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C09FFC9
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B1EED1F
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C14C48B
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B24CB65
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C09D0E8
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B3EAB01
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B1AF5C2
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C0447B6
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C28073C
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B0A6234
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C1A2AB2
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B21DF8E
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C34470C
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C19A5D8
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C2D1A1B
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6B3E7807
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeAPI/Special instruction interceptor: Address: 6C1AE27D
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory allocated: 6020000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory allocated: 6010000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory allocated: 6030000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeMemory allocated: 5F80000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C14C23A rdtsc 9_2_6C14C23A
        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI290D.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI29DB.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI289F.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI292D.tmpJump to dropped file
        Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI296D.tmpJump to dropped file
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe TID: 2536Thread sleep time: -40000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6AAF7730 GetSystemInfo,8_2_6AAF7730
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeThread delayed: delay time: 40000Jump to behavior
        Source: OperaWebPros.exe, 00000008.00000002.2175475453.0000000000847000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
        Source: OperaWebPros.exe, 00000009.00000002.2212023553.00000000006F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
        Source: OperaWebPros.exe, 00000005.00000002.2077592296.0000000000877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 9_2_6C14C23A rdtsc 9_2_6C14C23A
        Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exeCode function: 8_2_6A2A7BE5 LdrFindResource_U,8_2_6A2A7BE5
        Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe "C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe"Jump to behavior
        Source: OperaWebPros.exe, 00000003.00000000.1692325796.0000000000401000.00000020.00000001.01000000.00000003.sdmp, OperaWebPros.exe.1.drBinary or memory string: ProgmanU
        Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Replication Through Removable Media        		Windows Management Instrumentation1
        Registry Run Keys / Startup Folder        		2
        Process Injection        		21
        Masquerading        		1
        Credential API Hooking        		1
        Query Registry        		Remote Services1
        Credential API Hooking        		11
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		1
        Registry Run Keys / Startup Folder        		1
        Disable or Modify Tools        		LSASS Memory211
        Security Software Discovery        		Remote Desktop Protocol1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		21
        Virtualization/Sandbox Evasion        		Security Account Manager2
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive2
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
        Process Injection        		NTDS21
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput Capture13
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information        		LSA Secrets11
        Peripheral Device Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain Credentials123
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        File Deletion        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        W3UokmKK3o.msi34%ReversingLabsWin32.Trojan.Generic

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\WebUI.dll100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe3%ReversingLabs
        C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\WebUI.dll54%ReversingLabsWin32.Trojan.Generic
        C:\Windows\Installer\MSI289F.tmp0%ReversingLabs
        C:\Windows\Installer\MSI290D.tmp0%ReversingLabs
        C:\Windows\Installer\MSI292D.tmp0%ReversingLabs
        C:\Windows\Installer\MSI296D.tmp0%ReversingLabs
        C:\Windows\Installer\MSI29DB.tmp0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpB0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpZZC:0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpC:0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php000%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php040%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpX0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php_0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpVn10%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpF0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpJ0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpRC0%Avira URL Cloudsafe
        https://isocert-secaac.com/m0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpMy0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpR0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpQ0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpKLP0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php0%Avira URL Cloudsafe
        https://isocert-secaac.com/u0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php430%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpa0%Avira URL Cloudsafe
        https://isocert-secaac.com/0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php:0%Avira URL Cloudsafe
        https://isocert-secaac.com/e0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php43J0%Avira URL Cloudsafe
        https://isocert-secaac.com/$0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpt0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php20%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpp0%Avira URL Cloudsafe
        https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php70%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        isocert-secaac.com
        		195.179.237.110
        		truefalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpfalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpC:OperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpJOperaWebPros.exe, 00000005.00000002.2077592296.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpZZC:OperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2212023553.00000000006E1000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpVn1OperaWebPros.exe, 00000008.00000002.2175475453.0000000000847000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpFOperaWebPros.exe, 00000009.00000002.2210385293.0000000000190000.00000004.00000010.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpBOperaWebPros.exe, 00000005.00000002.2077592296.0000000000877000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000005.00000002.2077592296.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/soap/envelope/OperaWebPros.exe, 00000003.00000000.1692325796.0000000000401000.00000020.00000001.01000000.00000003.sdmp, OperaWebPros.exe.1.drfalse
            		high
            https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php_OperaWebPros.exe, 00000005.00000002.2077592296.0000000000877000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000005.00000002.2077592296.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php00OperaWebPros.exe, 00000008.00000002.2175475453.0000000000847000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.indyproject.org/OperaWebPros.exe, 00000005.00000002.2143103636.0000000068B48000.00000020.00000001.01000000.00000004.sdmp, OperaWebPros.exe, 00000005.00000002.2099868852.00000000024D0000.00000004.00001000.00020000.00000000.sdmp, OperaWebPros.exe, 00000008.00000002.2183433564.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2219704017.00000000025E0000.00000004.00001000.00020000.00000000.sdmpfalse
              		high
              https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php04OperaWebPros.exe, 00000008.00000002.2175475453.0000000000857000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpXOperaWebPros.exe, 00000005.00000002.2077592296.00000000008C7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpROperaWebPros.exe, 00000005.00000002.2069955883.0000000000190000.00000004.00000010.00020000.00000000.sdmp, OperaWebPros.exe, 00000008.00000002.2173076849.0000000000190000.00000004.00000010.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2212023553.0000000000703000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2210385293.0000000000190000.00000004.00000010.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpQOperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpKLPOperaWebPros.exe, 00000005.00000002.2077592296.0000000000886000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000008.00000002.2175475453.0000000000857000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2212023553.0000000000703000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpMyOperaWebPros.exe, 00000008.00000002.2175475453.00000000007F8000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://stats.itopvpn.com/iusage.phpOperaWebPros.exe, 00000003.00000000.1692325796.0000000000401000.00000020.00000001.01000000.00000003.sdmp, OperaWebPros.exe.1.drfalse
                		high
                https://isocert-secaac.com/mOperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpRCOperaWebPros.exe, 00000005.00000002.2069955883.0000000000190000.00000004.00000010.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpjOperaWebPros.exe, 00000005.00000002.2077592296.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://isocert-secaac.com/uOperaWebPros.exe, 00000009.00000002.2212023553.0000000000727000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php43OperaWebPros.exe, 00000009.00000002.2212023553.0000000000703000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpbOperaWebPros.exe, 00000005.00000002.2077592296.0000000000877000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpaOperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://isocert-secaac.com/OperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2212023553.0000000000727000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php:OperaWebPros.exe, 00000008.00000002.2175475453.0000000000847000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2210385293.0000000000190000.00000004.00000010.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phpxOperaWebPros.exe, 00000005.00000002.2077592296.00000000008C7000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php7OperaWebPros.exe, 00000005.00000002.2069955883.0000000000190000.00000004.00000010.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://isocert-secaac.com/eOperaWebPros.exe, 00000008.00000002.2175475453.0000000000885000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://isocert-secaac.com/$OperaWebPros.exe, 00000009.00000002.2212023553.0000000000727000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php43JOperaWebPros.exe, 00000005.00000002.2077592296.0000000000886000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phptOperaWebPros.exe, 00000005.00000002.2077592296.0000000000877000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000005.00000002.2077592296.00000000008C7000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://isocert-secaac.com/contadorperu/ElonMusKLPeru.php2OperaWebPros.exe, 00000008.00000002.2175475453.0000000000857000.00000004.00000020.00020000.00000000.sdmp, OperaWebPros.exe, 00000009.00000002.2212023553.0000000000703000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://isocert-secaac.com/contadorperu/ElonMusKLPeru.phppOperaWebPros.exe, 00000008.00000002.2175475453.0000000000857000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      195.179.237.110
                      		isocert-secaac.comGermany
                      		6659NEXINTO-DEfalse

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1565725
                      Start date and time:2024-11-30 16:58:10 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 26s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:11
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:W3UokmKK3o.msi
                      renamed because original name is a hash value
                      Original Sample Name:c1004b09968d8ff1f0720c5525bca3af281a0f8c71cc0aad73fd9bb0d531ff85.msi
                      Detection:MAL
                      Classification:mal76.evad.winMSI@9/26@1/1
                      EGA Information:
                      • Successful, ratio: 66.7%
                      HCA Information:
                      • Successful, ratio: 69%
                      • Number of executed functions: 12
                      • Number of non-executed functions: 22
                      Cookbook Comments:
                      • Found application associated with file extension: .msi
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target OperaWebPros.exe, PID 6384 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: W3UokmKK3o.msi

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      10:59:12API Interceptor1x Sleep call for process: OperaWebPros.exe modified
                      15:59:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OperaWebPros.exe C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe
                      15:59:23AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run OperaWebPros.exe C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe
                      15:59:32AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OperaWebPros.exe C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      NEXINTO-DEA2028041200SD.exeGet hashmaliciousFormBookBrowse
                      • 194.195.220.41
                      arm7.elfGet hashmaliciousMirai, MoobotBrowse
                      • 212.229.165.81
                      ppc.elfGet hashmaliciousMiraiBrowse
                      • 195.180.12.28
                      x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                      • 212.228.240.237
                      arm5.elfGet hashmaliciousMiraiBrowse
                      • 194.195.203.106
                      la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                      • 194.64.28.128
                      powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                      • 194.195.194.150
                      sora.mips.elfGet hashmaliciousMiraiBrowse
                      • 212.228.240.206
                      arm.nn-20241122-0008.elfGet hashmaliciousMirai, OkiruBrowse
                      • 194.163.249.204
                      sh4.elfGet hashmaliciousMiraiBrowse
                      • 212.228.240.217

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                      • 195.179.237.110
                      file.exeGet hashmaliciousVidarBrowse
                      • 195.179.237.110
                      RezQY7jWu8.exeGet hashmaliciousXRedBrowse
                      • 195.179.237.110
                      file.exeGet hashmaliciousHackBrowser, XmrigBrowse
                      • 195.179.237.110
                      siveria.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                      • 195.179.237.110
                      unique.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                      • 195.179.237.110
                      Fortexternal.exeGet hashmaliciousUnknownBrowse
                      • 195.179.237.110
                      siveria.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                      • 195.179.237.110
                      file.exeGet hashmaliciousClipboard HijackerBrowse
                      • 195.179.237.110
                      file.exeGet hashmaliciousClipboard HijackerBrowse
                      • 195.179.237.110

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exetroca.msiGet hashmaliciousUnknownBrowse
                        Epdf_information.msiGet hashmaliciousUnknownBrowse
                          PayPal-acc.msiGet hashmaliciousUnknownBrowse
                            order_information.msiGet hashmaliciousUnknownBrowse
                              Nf_-_Eletronica_LTDA.msiGet hashmaliciousUnknownBrowse
                                RAS_OL321231.msiGet hashmaliciousUnknownBrowse
                                  file.msiGet hashmaliciousUnknownBrowse
                                    file.msiGet hashmaliciousUnknownBrowse
                                      file.msiGet hashmaliciousUnknownBrowse
                                        fatura_2023_comprovante_25823548ASDFH2349ASFK235.msiGet hashmaliciousUnknownBrowse

                                          Created / dropped Files

                                          C:\Config.Msi\40264f.rbs

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):1602
                                          Entropy (8bit):5.579994737907314
                                          Encrypted:false
                                          SSDEEP:48:ke39N5RBSVlBhlxSPlNleL/F7vfrLKLKpLrRqLm55LU:kE5khpjWOp5qs5I
                                          MD5:EDB98F8F373E7448496F405C5B5C77A9
                                          SHA1:829C96772C70C578545F80F5F9882F7051C487CD
                                          SHA-256:EA30E2DED560004C6AF418EC41ADB8A50A4C4A6EB41926248E22B79139C88F6F
                                          SHA-512:CAD389B52F900D72934BD5A36B05E791F17826CB0464E5C9510DF8A1526958206193B900E793FD1E32A9AE30C1D6E54310070EF5EE20628AA3F1BBF7AF9D84AB
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@aW~Y.@.....@.....@.....@.....@.....@......&.{356E8AF0-E912-4E89-B183-782686754D6E}..Opera Steam Pro..W3UokmKK3o.msi.@.....@.....@.....@........&.{ADCE6DD5-A4F6-479E-B9D4-45D32AEBE02E}.....@.....@.....@.....@.......@.....@.....@.......@......Opera Steam Pro......Rollback..A.c.c.i...n. .d.e. .r.e.s.t.a.u.r.a.c.i...n.:.....RollbackCleanup..Quitando copias de seguridad..Archivo: [1]....ProcessComponents'.Actualizando el registro de componentes..&.{4E9A8A42-B167-4E39-AAE0-EDF568468573}&.{356E8AF0-E912-4E89-B183-782686754D6E}.@......&.{40C9FBE7-85CA-4FC4-8323-006B87D51C1C}&.{356E8AF0-E912-4E89-B183-782686754D6E}.@......&.{A18B0D86-F8FF-4D42-94B4-6301F0DE2F92}&.{356E8AF0-E912-4E89-B183-782686754D6E}.@......&.{FF50FFDB-7AC0-4B05-A38C-7445F5DC669E}&.{356E8AF0-E912-4E89-B183-782686754D6E}.@........CreateFolders..Creando carpetas..Carpeta: [1]#.A.C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\.@........InstallFiles..Copiando archivos nuevos*.A.r.c.h.i.v.o.:. .[.1

                                          C:\Users\user\AppData\Local\657773

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):32
                                          Entropy (8bit):4.452819531114783
                                          Encrypted:false
                                          SSDEEP:3:1Eypy1uLgov:1Xpy1uLgy
                                          MD5:CB4FF9D0A48877428342C47505C0F10F
                                          SHA1:5AA49B3CC248D0665AE24053173A982BA8C3BFF0
                                          SHA-256:CC9AE489DD463BDF97AC4D7FA7463225D15D105352D5B25D38B55731708D5F2C
                                          SHA-512:420AFB80DDF2E7DF9ECA0E8DA95B4801B35E24D28DF7541F0015D91A182891121223FCF112C83543F45276FD2246EB77FE0895CC842147C1835830A52D325301
                                          Malicious:false
                                          Reputation:low
                                          Preview:[Generate Pasta]..EfwjKvRnBFZM..

                                          C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):1856512
                                          Entropy (8bit):6.763893864307226
                                          Encrypted:false
                                          SSDEEP:24576:fMWohhojVlG981FE03Pb+Cp67LkDdlXUi+nNv3O5AcAQNwuWSfJST4HCLgCGT/TH:KhujVl6p8UiaAKRT4HCUN1
                                          MD5:CEEF4762B36067F1D32A0DB621EE967E
                                          SHA1:D23DA38DF6B0FCA8C524B641C59C700A2338648E
                                          SHA-256:EFB6169BBB869A849AFB91184A75B906FE509CBF6E672B6B4F3311C02343BBBB
                                          SHA-512:6301871A95E48F2873B60C706757AF38D956C895112F14C28EAC4C4A83456A1ACDF15D0A5B1CD35F267A4149DC78B2469C427BDE6A1BF5AA99DE51D5E824D1B3
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe, Author: Joe Security
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 3%
                                          Joe Sandbox View:
                                          • Filename: troca.msi, Detection: malicious, Browse
                                          • Filename: Epdf_information.msi, Detection: malicious, Browse
                                          • Filename: PayPal-acc.msi, Detection: malicious, Browse
                                          • Filename: order_information.msi, Detection: malicious, Browse
                                          • Filename: Nf_-_Eletronica_LTDA.msi, Detection: malicious, Browse
                                          • Filename: RAS_OL321231.msi, Detection: malicious, Browse
                                          • Filename: file.msi, Detection: malicious, Browse
                                          • Filename: file.msi, Detection: malicious, Browse
                                          • Filename: file.msi, Detection: malicious, Browse
                                          • Filename: fatura_2023_comprovante_25823548ASDFH2349ASFK235.msi, Detection: malicious, Browse
                                          Reputation:moderate, very likely benign file
                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....a..................................... ....@........................... .................@......................P....@...F.......................@......@....................................................L...............................text...t........................... ..`.itext.............................. ..`.data........ ......................@....bss.....f...............................idata...F...@...H..................@....edata..P...........................@..@.tls....L................................rdata..............................@..@.reloc..@...........................@..B.rsrc...............................@..@....................................@..@........................................................

                                          C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\WebUI.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):19700736
                                          Entropy (8bit):7.97748554126947
                                          Encrypted:false
                                          SSDEEP:393216:9ED/kGgQFyw55b/Z4yJ1t1N8Gk3C+dAw2mewSaB6I24WDrJtNBe:2v3T4yx1yr/Gw2megg5
                                          MD5:7A9B61729BF72A8EECAC652A6A4CDC7D
                                          SHA1:D99A9C76AD774F4E75820196FD26B8ED0BEE2F06
                                          SHA-256:B15ED20A85F5DA9B4657788F26F748BDAD9E52D92D110092A6A4CE4C6A7F445E
                                          SHA-512:305A6469F54C7FB10E51362F9F59943C4DCAAB44E88E1F9F0C5857D0BFE25A9BD666CC93820E6D39CFCA2543544917D162AA1730B9652EFCF719255C52B3BA21
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 54%
                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L.....Hg...........!......C..|...............D...@.......................................@..........................c.........,.......@.......................l.......................................................t...h........................text...`.C......................... ..`.itext.../....C..................... ..`.data.........D.....................@....bss.....z....E..........................idata..$>....F.....................@....didata......PF.....................@....edata.......`F.....................@..@.rdata..E....pF.....................@..@.p=T....]PR...F..................... ..`.,Bp................................@....* [......,......,................. ..`.rsrc...@.............,.............@..@.reloc..l.............,.............@..B.....................0.......n..............@..@........................................................

                                          C:\Windows\Installer\40264d.msi

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {ADCE6DD5-A4F6-479E-B9D4-45D32AEBE02E}, Number of Words: 10, Subject: Opera Steam Pro, Author: Opera Updown Bugs, Name of Creating Application: Opera Steam Pro, Template: ;3082, Comments: Esta base de datos del instalador contiene la lgica y los datos necesarios para instalar Opera Steam Pro., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 29 01:47:55 2024, Number of Pages: 200
                                          Category:dropped
                                          Size (bytes):21371904
                                          Entropy (8bit):7.977261626454602
                                          Encrypted:false
                                          SSDEEP:393216:x+Cs1r3xQFaTH9x34GHEEHD3ZwSWAj+f5BaZOVRQQ3yL2b5UHikTZuhIl:K1riI4G3HzWsKf5Bai5bqHtkC
                                          MD5:5838E52D76526DF907F4AB624800F5C3
                                          SHA1:5F3706AA844DF3D269B0EC7AC0029F927C16070C
                                          SHA-256:C1004B09968D8FF1F0720C5525BCA3AF281A0F8C71CC0AAD73FD9BB0D531FF85
                                          SHA-512:74E9FA38B1B49999EB632AE402493F185F255C25826E423923E35E27F85A618B413CA46D3A988CD5A334FCB7673C3DEE4BF6AFFDB7ED3BD23962D48DD30C1FAF
                                          Malicious:false
                                          Preview:......................>...................G...................................F.......b.......o...............................................w...........................................................................................................................................................................................................................................................................................................................................................................................<...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)...*...1...,...-......./...0...4...2...;...?...5...6...7...8...9...:...E...=.......>.......@...A...B...C...D...............H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                          C:\Windows\Installer\MSI289F.tmp

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):601920
                                          Entropy (8bit):6.469032452979565
                                          Encrypted:false
                                          SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                          MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                          SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                          SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                          SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\MSI290D.tmp

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):601920
                                          Entropy (8bit):6.469032452979565
                                          Encrypted:false
                                          SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                          MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                          SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                          SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                          SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\MSI292D.tmp

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):601920
                                          Entropy (8bit):6.469032452979565
                                          Encrypted:false
                                          SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                          MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                          SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                          SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                          SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\MSI296D.tmp

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):601920
                                          Entropy (8bit):6.469032452979565
                                          Encrypted:false
                                          SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                          MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                          SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                          SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                          SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\MSI29DB.tmp

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):601920
                                          Entropy (8bit):6.469032452979565
                                          Encrypted:false
                                          SSDEEP:12288:g+zdBoU6TPAjp66Ulgc2zGz5gCxOWIGvn:HBoBTopk1QGz53sWIGvn
                                          MD5:CADBCF6F5A0199ECC0220CE23A860D89
                                          SHA1:073C149D68916520AEA882E588AB9A5AE083D75A
                                          SHA-256:42EF18C42FE06709F3C86157E2270358F3C93D14BE2E173B8FAE8EDCEFDDFCA0
                                          SHA-512:CEBB128BDC04E6B29DF74BEDCC375A340AC037563D828AF3455DE41F31D2E464F82F85C97CA9910A4A7C819EFA906AA4A4560174F184CEE316F53E3D2B5CDCCC
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.J.8.$.8.$.8.$...'.5.$...!.$.. .).$..'./.$..!.r.$... .!.$...".9.$...%...$.8.%.$...-.R.$...$.9.$.....9.$.8...9.$...&.9.$.Rich8.$.........................PE..L...R+Jd.........."!...#.<...........W.......P...............................0......5R....@..........................W..d....a..,.......................@=...... h......p..............................@............P..l............................text....:.......<.................. ..`.rdata..:,...P.......@..............@..@.data... %...........n..............@....rsrc................~..............@..@.reloc.. h.......j..................@..B........................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\MSI2A59.tmp

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2159
                                          Entropy (8bit):5.424851143689462
                                          Encrypted:false
                                          SSDEEP:48:Ve39N54Bd2SLhgLEPLSGLJiL/F7vNLh/YE0ripqzPRgLP55L3L4:VE53SVgguGgpNNQipqzZgV5Tk
                                          MD5:7EDB5E29B4BB44EB3CED1D4A710A60EC
                                          SHA1:EA52BDB911260C387E43F1F7C3896C09832D37D1
                                          SHA-256:9970A6428A177BCAE67E50B2763758A95A3D0D24F889B17064760B7850C0E54C
                                          SHA-512:B056E565FB266F102C675DECEA9AAFFAC27BBF3BB013618ED6E06A5CC565CEEDB5F7ED50ACB24B2E361D5EA693A7657F7EC2F3FD126F4AFABF9BD703CCEE2E98
                                          Malicious:false
                                          Preview:...@IXOS.@.....@aW~Y.@.....@.....@.....@.....@.....@......&.{356E8AF0-E912-4E89-B183-782686754D6E}..Opera Steam Pro..W3UokmKK3o.msi.@.....@.....@.....@........&.{ADCE6DD5-A4F6-479E-B9D4-45D32AEBE02E}.....@.....@.....@.....@.......@.....@.....@.......@......Opera Steam Pro......Rollback..A.c.c.i...n. .d.e. .r.e.s.t.a.u.r.a.c.i...n.:.....RollbackCleanup..Quitando copias de seguridad..Archivo: [1]...@.......@........ProcessComponents'.Actualizando el registro de componentes...@.....@.....@.]....&.{4E9A8A42-B167-4E39-AAE0-EDF568468573}A.C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\.@.......@.....@.....@......&.{40C9FBE7-85CA-4FC4-8323-006B87D51C1C}6.01:\Software\Opera Updown Bugs\Opera Steam Pro\Version.@.......@.....@.....@......&.{A18B0D86-F8FF-4D42-94B4-6301F0DE2F92}Q.C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe.@.......@.....@.....@......&.{FF50FFDB-7AC0-4B05-A38C-7445F5DC669E}J.C:\Users\user\AppData\Roaming\Opera Updown Bugs\Op

                                          C:\Windows\Installer\SourceHash{356E8AF0-E912-4E89-B183-782686754D6E}

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.16349451109415
                                          Encrypted:false
                                          SSDEEP:12:JSbX72Fj6AGiLIlHVRpZh/7777777777777777777777777vDHFdblFIyWwwit/z:JEQI5tvbllViF
                                          MD5:0160F10B020F875DB8D89F4BF7DD55CB
                                          SHA1:65D0B750467A38B0C6E0A82AFF2666931CB6A54C
                                          SHA-256:61A3E2818A145A8B45781D2F6133E6EE625E97F4C2209C59223E75083B38DBFA
                                          SHA-512:5FA250E397B099BA33763AE66AE2B215B690AAEE2B25FB1A8980CFCA0435CDFF6B55232AADE46FC0E69427680AF3D65FEF988F98B11219627A2060FED0129FB6
                                          Malicious:false
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.5577832322966065
                                          Encrypted:false
                                          SSDEEP:48:o8PhuuRc06WXJ0FT50A1qnjiSsvTSCSsvNAECiCymvao/SsvTSCSsvxT9BF:3hu13FT2OscoECt5
                                          MD5:2BE85FFC9BE4DB1F2752807E44AF71AB
                                          SHA1:F3893102F0AF6ED79650487F0D145B27274A50DD
                                          SHA-256:3EA3F8DB795588C3BF78FDC7FB6ECD1B86F45980EFF28DC9841A0C42DDFFA7A8
                                          SHA-512:853EF0E6FF3FB5FA0F3179518478606B2FA92024080DDC5A02FB5843BAA318DA8BE9F300AFF2F6F4AE044812ACA370EAA089A771EA62231E3C08B9DE91D369C2
                                          Malicious:false
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):432221
                                          Entropy (8bit):5.375162839748599
                                          Encrypted:false
                                          SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauo:zTtbmkExhMJCIpEr5
                                          MD5:0150F7ECCCD43476224A729652ED02F5
                                          SHA1:AC09199EE99B4AB91C67051543E51370E342765E
                                          SHA-256:91F743FB82C28054BD87036031453908B729ED92B4C3B7AB3BAEA4860BB75671
                                          SHA-512:2E1D7DED293D7A6AB7A4AE6BBB0B8830EF25B1D5C546DC2BAE1618D35EBF61BE463AA3E5B91173E7800676FE9BEFB45BBC47C568C914F86A84081294C42689C6
                                          Malicious:false
                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                          C:\Windows\Temp\~DF19E2DF8803B0B372.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.249719798253269
                                          Encrypted:false
                                          SSDEEP:48:FgmmuBO+CFXJpT5UA1qnjiSsvTSCSsvNAECiCymvao/SsvTSCSsvxT9BF:1mxRTWOscoECt5
                                          MD5:3AE4FE8AA685565FA70F3D3D8527E68B
                                          SHA1:BC4C913E5633C234794C98E3DE8C253C8B4478DE
                                          SHA-256:C8B406FCA9CCE1EF20F93EAC3E24FB83AF83F4A0A933F498EBB5CA74D81DFB91
                                          SHA-512:DFE17AA61ED8EFEE081A8FB76506D4AFD2BDF7D756ADD3E138B803B87107CA4ABAE465E45EDFDFFAF71DB592DC18C816D7B6DD3270030CB8C11E45001200327F
                                          Malicious:false
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF2ED7D7BA61064683.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF3132B76A108521BE.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF467BC4DCD3D90C7B.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.5577832322966065
                                          Encrypted:false
                                          SSDEEP:48:o8PhuuRc06WXJ0FT50A1qnjiSsvTSCSsvNAECiCymvao/SsvTSCSsvxT9BF:3hu13FT2OscoECt5
                                          MD5:2BE85FFC9BE4DB1F2752807E44AF71AB
                                          SHA1:F3893102F0AF6ED79650487F0D145B27274A50DD
                                          SHA-256:3EA3F8DB795588C3BF78FDC7FB6ECD1B86F45980EFF28DC9841A0C42DDFFA7A8
                                          SHA-512:853EF0E6FF3FB5FA0F3179518478606B2FA92024080DDC5A02FB5843BAA318DA8BE9F300AFF2F6F4AE044812ACA370EAA089A771EA62231E3C08B9DE91D369C2
                                          Malicious:false
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF8679D4430FA94377.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.249719798253269
                                          Encrypted:false
                                          SSDEEP:48:FgmmuBO+CFXJpT5UA1qnjiSsvTSCSsvNAECiCymvao/SsvTSCSsvxT9BF:1mxRTWOscoECt5
                                          MD5:3AE4FE8AA685565FA70F3D3D8527E68B
                                          SHA1:BC4C913E5633C234794C98E3DE8C253C8B4478DE
                                          SHA-256:C8B406FCA9CCE1EF20F93EAC3E24FB83AF83F4A0A933F498EBB5CA74D81DFB91
                                          SHA-512:DFE17AA61ED8EFEE081A8FB76506D4AFD2BDF7D756ADD3E138B803B87107CA4ABAE465E45EDFDFFAF71DB592DC18C816D7B6DD3270030CB8C11E45001200327F
                                          Malicious:false
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF907B20983E4B2A6E.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF9F111900C2F80E27.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.249719798253269
                                          Encrypted:false
                                          SSDEEP:48:FgmmuBO+CFXJpT5UA1qnjiSsvTSCSsvNAECiCymvao/SsvTSCSsvxT9BF:1mxRTWOscoECt5
                                          MD5:3AE4FE8AA685565FA70F3D3D8527E68B
                                          SHA1:BC4C913E5633C234794C98E3DE8C253C8B4478DE
                                          SHA-256:C8B406FCA9CCE1EF20F93EAC3E24FB83AF83F4A0A933F498EBB5CA74D81DFB91
                                          SHA-512:DFE17AA61ED8EFEE081A8FB76506D4AFD2BDF7D756ADD3E138B803B87107CA4ABAE465E45EDFDFFAF71DB592DC18C816D7B6DD3270030CB8C11E45001200327F
                                          Malicious:false
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFB0D1F65FE0A5355A.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFC52D348679A62E48.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:3::
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFC6EA4676B6C33C88.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.5577832322966065
                                          Encrypted:false
                                          SSDEEP:48:o8PhuuRc06WXJ0FT50A1qnjiSsvTSCSsvNAECiCymvao/SsvTSCSsvxT9BF:3hu13FT2OscoECt5
                                          MD5:2BE85FFC9BE4DB1F2752807E44AF71AB
                                          SHA1:F3893102F0AF6ED79650487F0D145B27274A50DD
                                          SHA-256:3EA3F8DB795588C3BF78FDC7FB6ECD1B86F45980EFF28DC9841A0C42DDFFA7A8
                                          SHA-512:853EF0E6FF3FB5FA0F3179518478606B2FA92024080DDC5A02FB5843BAA318DA8BE9F300AFF2F6F4AE044812ACA370EAA089A771EA62231E3C08B9DE91D369C2
                                          Malicious:false
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFF5563F742D086EF9.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):73728
                                          Entropy (8bit):0.13519772788214052
                                          Encrypted:false
                                          SSDEEP:48:kF8lTeSsvTSCSsvqSsvTSCSsvNAECiCymvaoNHQ1q2:cR+oEC5+7
                                          MD5:C71E1A6602E31FBDBCC6B1DDD42A73E2
                                          SHA1:0E3A29766A3D94736340CF153E37FA90BB5B6480
                                          SHA-256:DD28E86ED70470307CBF18B49AEF878854FEEABAFCEE9E0BFCFBD5A3717C10CC
                                          SHA-512:39F31E70C854D8851DEC8FDBA8DA5E064B0BA3E6EE1D685D5A8AE2A2A4181E73A87690A7B16E04E47D63BCAE2B6011EB788459C464A960CBDF31D2E2E4A87476
                                          Malicious:false
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFF9038ED133B6AD55.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):0.0714406117678141
                                          Encrypted:false
                                          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOdzf+g4SIyWw9tgVky6lit/:2F0i8n0itFzDHFdblFIyWwjit/
                                          MD5:A2BE2DC639F069534911F6D7A5EF62B8
                                          SHA1:A681D74E5E73AEF9869A30BFEEBE5BC7595E405B
                                          SHA-256:BB02B41B2142495C2433829919BBAB8A608AA216E74548E58B0C83F4E38F89E5
                                          SHA-512:DC8D84037B156CB49FF01803AF11EDD2BF32DBC1B4061C49D13F145BC9FF33808F2704FA4B9905311736C00A40371F39A9DA8E716BFA2974B1BAF0153DF5F6B1
                                          Malicious:false
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {ADCE6DD5-A4F6-479E-B9D4-45D32AEBE02E}, Number of Words: 10, Subject: Opera Steam Pro, Author: Opera Updown Bugs, Name of Creating Application: Opera Steam Pro, Template: ;3082, Comments: Esta base de datos del instalador contiene la lgica y los datos necesarios para instalar Opera Steam Pro., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 29 01:47:55 2024, Number of Pages: 200
                                          Entropy (8bit):7.977261626454602
                                          TrID:
                                          • Windows SDK Setup Transform Script (63028/2) 88.73%
                                          • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                          File name:W3UokmKK3o.msi
                                          File size:21'371'904 bytes
                                          MD5:5838e52d76526df907f4ab624800f5c3
                                          SHA1:5f3706aa844df3d269b0ec7ac0029f927c16070c
                                          SHA256:c1004b09968d8ff1f0720c5525bca3af281a0f8c71cc0aad73fd9bb0d531ff85
                                          SHA512:74e9fa38b1b49999eb632ae402493f185f255c25826e423923e35e27f85a618b413ca46d3a988cd5a334fcb7673c3dee4bf6affdb7ed3bd23962d48dd30c1faf
                                          SSDEEP:393216:x+Cs1r3xQFaTH9x34GHEEHD3ZwSWAj+f5BaZOVRQQ3yL2b5UHikTZuhIl:K1riI4G3HzWsKf5Bai5bqHtkC
                                          TLSH:6E273325E2CBCA22D55D017BE959FE0F1578BE93133451E7B6F8396E44F0CC1A2B9A02
                                          File Content Preview:........................>...................G...................................F.......b.......o...............................................w..............................................................................................................

                                          File Icon

                                          Icon Hash:2d2e3797b32b2b99

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 30, 2024 16:59:13.322694063 CET49730443192.168.2.4195.179.237.110
                                          Nov 30, 2024 16:59:13.322772026 CET44349730195.179.237.110192.168.2.4
                                          Nov 30, 2024 16:59:13.322877884 CET49730443192.168.2.4195.179.237.110
                                          Nov 30, 2024 16:59:13.349782944 CET49730443192.168.2.4195.179.237.110
                                          Nov 30, 2024 16:59:13.349817038 CET44349730195.179.237.110192.168.2.4
                                          Nov 30, 2024 16:59:14.791367054 CET44349730195.179.237.110192.168.2.4
                                          Nov 30, 2024 16:59:14.791440964 CET49730443192.168.2.4195.179.237.110
                                          Nov 30, 2024 16:59:14.998701096 CET49730443192.168.2.4195.179.237.110
                                          Nov 30, 2024 16:59:14.998740911 CET44349730195.179.237.110192.168.2.4
                                          Nov 30, 2024 16:59:14.998985052 CET44349730195.179.237.110192.168.2.4
                                          Nov 30, 2024 16:59:14.999037027 CET49730443192.168.2.4195.179.237.110
                                          Nov 30, 2024 16:59:15.006768942 CET49730443192.168.2.4195.179.237.110
                                          Nov 30, 2024 16:59:15.051331043 CET44349730195.179.237.110192.168.2.4
                                          Nov 30, 2024 16:59:17.491502047 CET44349730195.179.237.110192.168.2.4
                                          Nov 30, 2024 16:59:17.492228031 CET44349730195.179.237.110192.168.2.4
                                          Nov 30, 2024 16:59:17.492307901 CET49730443192.168.2.4195.179.237.110
                                          Nov 30, 2024 16:59:17.517359018 CET49730443192.168.2.4195.179.237.110
                                          Nov 30, 2024 16:59:17.517380953 CET44349730195.179.237.110192.168.2.4
                                          Nov 30, 2024 16:59:17.517401934 CET49730443192.168.2.4195.179.237.110
                                          Nov 30, 2024 16:59:17.517525911 CET49730443192.168.2.4195.179.237.110

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 30, 2024 16:59:12.931617975 CET6209353192.168.2.41.1.1.1
                                          Nov 30, 2024 16:59:13.301115036 CET53620931.1.1.1192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Nov 30, 2024 16:59:12.931617975 CET192.168.2.41.1.1.10x81ccStandard query (0)isocert-secaac.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Nov 30, 2024 16:59:13.301115036 CET1.1.1.1192.168.2.40x81ccNo error (0)isocert-secaac.com195.179.237.110A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • isocert-secaac.com

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.449730195.179.237.1104436104C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe
                                          TimestampBytes transferredDirectionData
                                          2024-11-30 15:59:15 UTC331OUTGET /contadorperu/ElonMusKLPeru.php HTTP/1.1
                                          Accept: */*
                                          Accept-Language: en-CH
                                          Accept-Encoding: gzip, deflate
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                          Host: isocert-secaac.com
                                          Connection: Keep-Alive
                                          2024-11-30 15:59:17 UTC478INHTTP/1.1 200 OK
                                          Connection: close
                                          x-powered-by: PHP/8.1.27
                                          content-type: text/plain;charset=UTF-8
                                          x-content-type-options: nosniff
                                          content-length: 0
                                          date: Sat, 30 Nov 2024 15:59:17 GMT
                                          server: LiteSpeed
                                          platform: hostinger
                                          panel: hpanel
                                          content-security-policy: upgrade-insecure-requests
                                          alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:10:58:59
                                          Start date:30/11/2024
                                          Path:C:\Windows\System32\msiexec.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\W3UokmKK3o.msi"
                                          Imagebase:0x7ff76e4d0000
                                          File size:69'632 bytes
                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:10:58:59
                                          Start date:30/11/2024
                                          Path:C:\Windows\System32\msiexec.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                          Imagebase:0x7ff76e4d0000
                                          File size:69'632 bytes
                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          General

                                          Target ID:2
                                          Start time:10:59:00
                                          Start date:30/11/2024
                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 2AE652A063EEB462FDD602157B8A2647
                                          Imagebase:0xe20000
                                          File size:59'904 bytes
                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:10:59:02
                                          Start date:30/11/2024
                                          Path:C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe"
                                          Imagebase:0x400000
                                          File size:1'856'512 bytes
                                          MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000003.00000000.1692325796.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe, Author: Joe Security
                                          Antivirus matches:
                                          • Detection: 3%, ReversingLabs
                                          Reputation:moderate
                                          Has exited:false

                                          General

                                          Target ID:5
                                          Start time:10:59:23
                                          Start date:30/11/2024
                                          Path:C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe"
                                          Imagebase:0x400000
                                          File size:1'856'512 bytes
                                          MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:Borland Delphi
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:10:59:31
                                          Start date:30/11/2024
                                          Path:C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe"
                                          Imagebase:0x400000
                                          File size:1'856'512 bytes
                                          MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:Borland Delphi
                                          Reputation:moderate
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:10:59:40
                                          Start date:30/11/2024
                                          Path:C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\Opera Updown Bugs\Opera Steam Pro\OperaWebPros.exe"
                                          Imagebase:0x400000
                                          File size:1'856'512 bytes
                                          MD5 hash:CEEF4762B36067F1D32A0DB621EE967E
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:Borland Delphi
                                          Reputation:moderate
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:1.6%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:62.5%
                                            Total number of Nodes:8
                                            Total number of Limit Nodes:0
                                            execution_graph 1721 6a4a1561 1722 6a4a1571 1721->1722 1723 6a4a159f 1722->1723 1725 6aaf7730 1722->1725 1726 6aaf77a2 GetSystemInfo 1725->1726 1727 6aaf7923 1726->1727 1728 6a2a7be5 1729 6a2a7bfb LdrFindResource_U 1728->1729

                                            Executed Functions

                                            Function 6AAF7730 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 169COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 6aaf7730-6aaf791b GetSystemInfo 2 6aaf7923-6aaf799f 0->2
                                            APIs
                                            • GetSystemInfo.KERNEL32(?,?,26BA6B28), ref: 6AAF78CF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006AAF0000.00000020.00000001.01000000.00000004.sdmp, Offset: 6AAF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6aaf0000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID: InfoSystem
                                            • String ID: 2
                                            • API String ID: 31276548-450215437
                                            • Opcode ID: 8353f135e1012685b69b97d20caa9cb275419843c9b06e49f4cbdb088eeaf5c3
                                            • Instruction ID: efd251da4465b9e464572bc87741026f8aede15da1f72928bfeec3ef7ff46a7f
                                            • Opcode Fuzzy Hash: 8353f135e1012685b69b97d20caa9cb275419843c9b06e49f4cbdb088eeaf5c3
                                            • Instruction Fuzzy Hash: 1E518A3250871A8BC70CEE2CD8944EA73E3EBC9311F54873ED056876C8DB75661ACB41
                                            Function 6A2A7BE5 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3 6a2a7be5-6a2a7c11 LdrFindResource_U
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006A2A7000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A2A7000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6a2a7000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID: FindResource_
                                            • String ID:
                                            • API String ID: 3289339417-0
                                            • Opcode ID: 7e50e1dff4b9bb31a08261bb177d3caf7e79b1d0e20d527e5e6c10525247b193
                                            • Instruction ID: 1eefc5bdc4f29f1250133ced422c3085045bae1a66076d374d3e2a3789570ec8
                                            • Opcode Fuzzy Hash: 7e50e1dff4b9bb31a08261bb177d3caf7e79b1d0e20d527e5e6c10525247b193
                                            • Instruction Fuzzy Hash: 4CD02237D9433C011009B2EDAC490AFB7C88984237B48821FE54A934C0168EB65646FA
                                            Function 6B003811 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 5 6b003811-6b003821 6 6b0037f1-6b003807 5->6 7 6b003823-6b003873 5->7 6->5 8 6b003881-6b003902 7->8 9 6b00390e-6b003a5d 8->9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006B002000.00000020.00000001.01000000.00000004.sdmp, Offset: 6B002000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6b002000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: B
                                            • API String ID: 0-1255198513
                                            • Opcode ID: b964469912a61bf13cfa5e95ca342e9a33c9cd52219bbcd44b90a797439df3c3
                                            • Instruction ID: 0a3fe3c96413f203eac6f3161dd1aa832157bed53d686597ea2fb8d2b4992fa3
                                            • Opcode Fuzzy Hash: b964469912a61bf13cfa5e95ca342e9a33c9cd52219bbcd44b90a797439df3c3
                                            • Instruction Fuzzy Hash: 1051BA355047228FD718EF38D4A14ABB3E2EFD5321B918A7DD882CB285DB799416CB81
                                            Function 6A4A1561 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 12 6a4a1561-6a4a1596 16 6a4a159a call 6b003811 12->16 17 6a4a159a call 6aaf7730 12->17 14 6a4a159f-6a4a15ef 16->14 17->14
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006A4A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A4A1000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6a4a1000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 741840651b7c048724d6410433e55deb5ec212f20010ba20c4c9cfeb9bf8fae3
                                            • Instruction ID: fa584221f724f98c5f98d12c8d75bc163030d1fb6de9e8ef6017aedc4bac2bd6
                                            • Opcode Fuzzy Hash: 741840651b7c048724d6410433e55deb5ec212f20010ba20c4c9cfeb9bf8fae3
                                            • Instruction Fuzzy Hash: 4D01D6355193128FC305DF28F44015BF7E2AFC1724F515B2DA095971A1DB785415CF42
                                            Function 6B102CA1 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 18 6b102ca1-6b102caa 20 6b102caf-6b102d01 18->20
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2351646860.000000006B0FE000.00000020.00000001.01000000.00000004.sdmp, Offset: 6B0FE000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6b0fe000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1d934f46c755a454ebc7b2152ae596bad575efeb55ca190c69f84c787aab1851
                                            • Instruction ID: 300391612776d762b971bb39f5ac3a95b6212fd62d2ca7b6f76afa334d998163
                                            • Opcode Fuzzy Hash: 1d934f46c755a454ebc7b2152ae596bad575efeb55ca190c69f84c787aab1851
                                            • Instruction Fuzzy Hash: 31F0277104830D6BC204A621E84546FBB96FBC222DF20CA3DA99982591C7381D454601

                                            Non-executed Functions

                                            Function 6AAF2A4B Relevance: 3.9, Strings: 3, Instructions: 102COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 35 6aaf2a4b-6aaf2bab
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006AAF0000.00000020.00000001.01000000.00000004.sdmp, Offset: 6AAF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6aaf0000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $ $%$v
                                            • API String ID: 0-3043377226
                                            • Opcode ID: 8d11f709a7984c380ca9d49063b4614f7f7ded205bcb67b683519c63bfa34299
                                            • Instruction ID: b51d92c39cfbc89f9d012a17f6fd4efb67efb01e664f71a2544cf2481e42c615
                                            • Opcode Fuzzy Hash: 8d11f709a7984c380ca9d49063b4614f7f7ded205bcb67b683519c63bfa34299
                                            • Instruction Fuzzy Hash: 4A316425114B069BDB1CEF38C4250FAB3A2EB95300F51D62D8557C71D4EF3A8416CA01
                                            Function 6A9AFE49 Relevance: 3.8, Strings: 3, Instructions: 95COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 41 6a9afe49-6a9affaf
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006A9A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A9A1000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6a9a1000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 1$d$k
                                            • API String ID: 0-291857608
                                            • Opcode ID: e1ed4acfed53b2e99c3e858ca246643efee314ffa039b185717f25717cb93ddf
                                            • Instruction ID: f79c24655ab5bfef0fb33d9abdb1e18d1c3125ebad925532ff1d42192761718f
                                            • Opcode Fuzzy Hash: e1ed4acfed53b2e99c3e858ca246643efee314ffa039b185717f25717cb93ddf
                                            • Instruction Fuzzy Hash: 6531757200C3528AD718EF7CA1150BBBBE1EF85728F208A3DE896CB591EB359101C746
                                            Function 6A9AFE53 Relevance: 3.8, Strings: 3, Instructions: 93COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 46 6a9afe53-6a9affaf
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006A9A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A9A1000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6a9a1000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 1$d$k
                                            • API String ID: 0-291857608
                                            • Opcode ID: e544dedeea068a9098d72455406c845d019686f3018a437715dbeed068200f34
                                            • Instruction ID: e3e2d8d5098c31c22e4cd55a9321855728e86507d41c31b8c447886f95d54067
                                            • Opcode Fuzzy Hash: e544dedeea068a9098d72455406c845d019686f3018a437715dbeed068200f34
                                            • Instruction Fuzzy Hash: A431667100C3568AC718EFBCA1154BBBBE1EF85724F208A3DE496CB5D1E7355115C746
                                            Function 6A9AF83E Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 50 6a9af83e-6a9afa14 call 6a9a2d0f
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006A9A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A9A1000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6a9a1000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 5$b
                                            • API String ID: 0-2411012027
                                            • Opcode ID: c7822167d7221bf2466b8b718d99fa6d0a54a724df2646a2f02d50e7af1853c8
                                            • Instruction ID: 8006043889362643368a4d53a5dc5179ac904999f834102e1452338d31e632b1
                                            • Opcode Fuzzy Hash: c7822167d7221bf2466b8b718d99fa6d0a54a724df2646a2f02d50e7af1853c8
                                            • Instruction Fuzzy Hash: 2D41773652DB128BC724AB78D84459BB3E2AFC2328F54CB7DD099831D1D739890AE743
                                            Function 6AAF05C3 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006AAF0000.00000020.00000001.01000000.00000004.sdmp, Offset: 6AAF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6aaf0000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: m
                                            • API String ID: 0-3775001192
                                            • Opcode ID: ff8b5c83806924c59934b1b98ff17ffcb86b10df8e5150340551a2aa4125610d
                                            • Instruction ID: e5acf641773cd28607ee7f7cefbe96c3a01f352e43cff62d911110be3138cca8
                                            • Opcode Fuzzy Hash: ff8b5c83806924c59934b1b98ff17ffcb86b10df8e5150340551a2aa4125610d
                                            • Instruction Fuzzy Hash: 4E6188755186128FD308DF28E8908FE77E2EFC5321F10CB2DE89AC7684EB74841A8B05
                                            Function 6AAF4183 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006AAF0000.00000020.00000001.01000000.00000004.sdmp, Offset: 6AAF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6aaf0000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 701
                                            • API String ID: 0-2514542062
                                            • Opcode ID: 0b563d62bba27fd7d51d70a3a3773aff3530581227612af670b00c8e8e33d873
                                            • Instruction ID: 3771e477d5194da37277d3b8de332fb541a48718c522f0b8a87f6fea5002dad1
                                            • Opcode Fuzzy Hash: 0b563d62bba27fd7d51d70a3a3773aff3530581227612af670b00c8e8e33d873
                                            • Instruction Fuzzy Hash: 63717A746083168FC728DF28D4904DAB7E2FBC5304F51C67D9885CB689EB35A80ACB46
                                            Function 6A9AC28C Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006A9A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A9A1000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6a9a1000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: G
                                            • API String ID: 0-985283518
                                            • Opcode ID: c2560018a75bc3aeaaeef43c15fe22876267f0ba5b7d4387af41704e6c402683
                                            • Instruction ID: 465bf7cf57b82e518bf13ce46b33d5fc2f4eb0f5f98c78548120fdf70b6df764
                                            • Opcode Fuzzy Hash: c2560018a75bc3aeaaeef43c15fe22876267f0ba5b7d4387af41704e6c402683
                                            • Instruction Fuzzy Hash: 4751C93562872A8BC718DF78D8904EA73E2EBD1324B50CB3DE599C71D8E771921ACA40
                                            Function 6AAF1D0F Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006AAF0000.00000020.00000001.01000000.00000004.sdmp, Offset: 6AAF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6aaf0000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: +
                                            • API String ID: 0-2126386893
                                            • Opcode ID: c863c17c42bb3e9bfc5462a4c72eca296e92f7885d04f80eca3e1016d168c5c7
                                            • Instruction ID: f32847047ea604da3a978615f677e62d9a86e8163ee9fd3f27d8aaa9f94a7163
                                            • Opcode Fuzzy Hash: c863c17c42bb3e9bfc5462a4c72eca296e92f7885d04f80eca3e1016d168c5c7
                                            • Instruction Fuzzy Hash: 004199354256274BD72DFA38C8618F633D2EBC6324B91837E8193875D5DB7A814BCA81
                                            Function 6A9AE8BF Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006A9A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A9A1000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6a9a1000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: _
                                            • API String ID: 0-701932520
                                            • Opcode ID: e49bff5bc2a2bca5dbb71dd4eef309022455fa3e915ed9cf38cb7dfc43c65248
                                            • Instruction ID: 94a269f4c09dfb10683609e97cfeab3659647d46a45618edc016e2e88f9b8132
                                            • Opcode Fuzzy Hash: e49bff5bc2a2bca5dbb71dd4eef309022455fa3e915ed9cf38cb7dfc43c65248
                                            • Instruction Fuzzy Hash: 0951CA711083128BC714DF28E0948EB73E2FBC5355F64893DC5568B69AEB3A5419CFC1
                                            Function 6AAF3F7F Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006AAF0000.00000020.00000001.01000000.00000004.sdmp, Offset: 6AAF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6aaf0000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: W
                                            • API String ID: 0-655174618
                                            • Opcode ID: 28620291c56d1d0a5845a700d9235837d120b2e4a451395d17c03f12e50ceac6
                                            • Instruction ID: ee62c58dad0ea8b173c86338cd5ca8f8b872d75008e421762dabf9c5089504f2
                                            • Opcode Fuzzy Hash: 28620291c56d1d0a5845a700d9235837d120b2e4a451395d17c03f12e50ceac6
                                            • Instruction Fuzzy Hash: 134144302082438FC729DF68D5A08AAB7E1FFC9318F25C96CD0858B4A1E735A11ADF42
                                            Function 6A9AF302 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006A9A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A9A1000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6a9a1000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: b
                                            • API String ID: 0-1908338681
                                            • Opcode ID: 6ffe4089baa7f2c0818e8ac0d4c22f9adb071d0f3dbfcef7946c25a042cae627
                                            • Instruction ID: 42d56debf88d724481eda617d399bd3e5d6d9cbbad18c99d8304c31b1735bedc
                                            • Opcode Fuzzy Hash: 6ffe4089baa7f2c0818e8ac0d4c22f9adb071d0f3dbfcef7946c25a042cae627
                                            • Instruction Fuzzy Hash: CB317431518B6287C718DE3C90688B6B7E1EFD9300F50467DC096C75E5EB365029CF80
                                            Function 6AAF3B24 Relevance: .1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006AAF0000.00000020.00000001.01000000.00000004.sdmp, Offset: 6AAF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6aaf0000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 797f522c5caa15ded88d2a6c2cce0fb06e713e80402dcfa11a24b6790cf82e60
                                            • Instruction ID: 71066bebe377732a0d416a7e9546d746d79af0a33ebd0b28f36b4cafa169f4d0
                                            • Opcode Fuzzy Hash: 797f522c5caa15ded88d2a6c2cce0fb06e713e80402dcfa11a24b6790cf82e60
                                            • Instruction Fuzzy Hash: AE41CA312082164BDB18EE78D850ADBB7E2EFC5324F15C63C9996C7595C73A411A8781
                                            Function 6A9AC52C Relevance: .1, Instructions: 110COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006A9A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A9A1000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6a9a1000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a59612496f1594ebd591f4afd8d0dfd66c57d4a38b0a6f5063599bc2efc150e2
                                            • Instruction ID: fc4f221a944f1ceda953a5457ef74b2ff230bcb8cd55d50e154cfabfca9f5989
                                            • Opcode Fuzzy Hash: a59612496f1594ebd591f4afd8d0dfd66c57d4a38b0a6f5063599bc2efc150e2
                                            • Instruction Fuzzy Hash: 5441CB3951520B8BD328EF3CE99A4FA7792EBC5321F209B2DD4A6C34D5D7394016CA05
                                            Function 6AAF306D Relevance: .1, Instructions: 109COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006AAF0000.00000020.00000001.01000000.00000004.sdmp, Offset: 6AAF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6aaf0000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b0b2e1c39fca928688536c413dc0c1670c184049abfe3d745d3ef58c83a9243d
                                            • Instruction ID: fa2692cf3472eedbdddd1f51675a5c74fc671fe00da2abecbbe05b4a6362ba90
                                            • Opcode Fuzzy Hash: b0b2e1c39fca928688536c413dc0c1670c184049abfe3d745d3ef58c83a9243d
                                            • Instruction Fuzzy Hash: 6C319B7160460A4BC30CEE79D8595B673A3ABC4312F10D73DD806CB5CDEF39951A8240
                                            Function 6A9AE551 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006A9A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A9A1000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6a9a1000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 90a4c43cd05ae3099e4df64ba6c3f1143c314ca3a3c109acb973b909d38b386d
                                            • Instruction ID: 770bbf0b98bd95b9756f26a8608813806489a2c58901ea4c8972c7253cc9b7fd
                                            • Opcode Fuzzy Hash: 90a4c43cd05ae3099e4df64ba6c3f1143c314ca3a3c109acb973b909d38b386d
                                            • Instruction Fuzzy Hash: 642198351186154BC718DF3CEC941EA3792EB86320F10972EB553875E6EB39884ACB41
                                            Function 6A9ABF5C Relevance: .1, Instructions: 83COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006A9A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A9A1000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6a9a1000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 20a29bbc08f68f34e1b658b00fac6a427a79bff3698ca0e6b23eba7c9a2ddf41
                                            • Instruction ID: aca13f316f0ece2af60e92b32dc1a5da83f98298b0c5e67e829f177214da8a3a
                                            • Opcode Fuzzy Hash: 20a29bbc08f68f34e1b658b00fac6a427a79bff3698ca0e6b23eba7c9a2ddf41
                                            • Instruction Fuzzy Hash: 1221663160451A8BDB1CCE2DD8908F67392FFD8315F65C23EE81BCB695EB34A51ACA40
                                            Function 6A73503C Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006A735000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A735000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6a735000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b05346f6401e9224a0b02695429768745c1299fb79248292750034f4831e8ae8
                                            • Instruction ID: fc6569135ec403bdb2f778c7680b1a6e7c6c62973715c4ba03e2c01c584c0227
                                            • Opcode Fuzzy Hash: b05346f6401e9224a0b02695429768745c1299fb79248292750034f4831e8ae8
                                            • Instruction Fuzzy Hash: BD214B22710E1A0BD31CDE3CCCA49E62383BBC5324F85C73C4626CB2D9EE79954E8644
                                            Function 6B103316 Relevance: .1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2351646860.000000006B0FE000.00000020.00000001.01000000.00000004.sdmp, Offset: 6B0FE000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6b0fe000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a507cedf5a1e8f0021fdf66af290acbbda262cbe0fa30bc2c0f1c021fc0a9b4b
                                            • Instruction ID: e9120a9fdc004109c3240adc6a9f7b11270c1869f1d5e38680ea7024c0ad06ed
                                            • Opcode Fuzzy Hash: a507cedf5a1e8f0021fdf66af290acbbda262cbe0fa30bc2c0f1c021fc0a9b4b
                                            • Instruction Fuzzy Hash: F42149325152658FCB59DF39E4EA2ABBBA0FF06304B0900DDC85657692DF30A066CB91
                                            Function 6AAF6E83 Relevance: .1, Instructions: 51COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006AAF0000.00000020.00000001.01000000.00000004.sdmp, Offset: 6AAF0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6aaf0000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ff7631757c5ba6fc1eba2ff1159c96a3a77237fa72961e13ed20c1c1f04d0d1
                                            • Instruction ID: b42b09a65dc1a6538ce9ae12494595ed25e976763e5837f4be04d0bece6cb666
                                            • Opcode Fuzzy Hash: 6ff7631757c5ba6fc1eba2ff1159c96a3a77237fa72961e13ed20c1c1f04d0d1
                                            • Instruction Fuzzy Hash: DF019C2110252657D71CD634C8726F763D1EB86328FD5423C8633929E1EB1AD45FD200
                                            Function 6AAD37FA Relevance: .0, Instructions: 47COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2198139922.000000006AAC7000.00000020.00000001.01000000.00000004.sdmp, Offset: 6AAC7000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_6aac7000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ca2bc64220a9d65646379ae86298907fc6d5cd11cc569ff2a6a8310105a311b
                                            • Instruction ID: 1f4e88ea2a9fad065396aeeedc048c884e17f0693c911b87568a711e328b6057
                                            • Opcode Fuzzy Hash: 0ca2bc64220a9d65646379ae86298907fc6d5cd11cc569ff2a6a8310105a311b
                                            • Instruction Fuzzy Hash: FD019920215A2747DB08E57284A44F333E38B97301BA5D67DD845CFAC2E169510F7B00

                                            Execution Graph

                                            Execution Coverage:0.9%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:80%
                                            Total number of Nodes:5
                                            Total number of Limit Nodes:0

                                            Executed Functions

                                            Function 6C2DF95B Relevance: 1.6, APIs: 1, Instructions: 60nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 6c2df95b-6c2dfa2f NtQueryInformationProcess
                                            APIs
                                            • NtQueryInformationProcess.NTDLL ref: 6C2DF9A6
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2351779938.000000006C2DB000.00000020.00000001.01000000.00000004.sdmp, Offset: 6C2DB000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_6c2db000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID:
                                            • API String ID: 1778838933-0
                                            • Opcode ID: 21e690c387102b7e2a5af65a9a7fd1b7e07bbbc87f2644d724af6b28db2cc305
                                            • Instruction ID: fbb6503ae4120ba00c441ee77ebb80f6c79045ca6db152d915d0aa2861d919e1
                                            • Opcode Fuzzy Hash: 21e690c387102b7e2a5af65a9a7fd1b7e07bbbc87f2644d724af6b28db2cc305
                                            • Instruction Fuzzy Hash: 9B119B36A0422A4FCB1CCF6D98605BA33E2AFC5320B25C17EDA11C73D5E2744E068750
                                            Function 6C0E99BF Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2 6c0e99bf-6c0e9a00 NtDelayExecution
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2351779938.000000006C0DC000.00000020.00000001.01000000.00000004.sdmp, Offset: 6C0DC000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_6c0dc000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID: DelayExecution
                                            • String ID:
                                            • API String ID: 1249177460-0
                                            • Opcode ID: 7cb5c4d3da7964af6edaddb0238f88370f03cc3be38469e74534837a7dd3ba09
                                            • Instruction ID: adfd41e4e2f361a0789010b33b2f621c3d14d516543639fe52191396ec1be1bb
                                            • Opcode Fuzzy Hash: 7cb5c4d3da7964af6edaddb0238f88370f03cc3be38469e74534837a7dd3ba09
                                            • Instruction Fuzzy Hash: B5E0DF7A6092684F8B00DEACA8404887792AB80911B120266FC54CF388D7305A008B00
                                            Function 6C24AFA7 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 3 6c24afa7-6c24afef NtQuerySystemInformation
                                            APIs
                                            • NtQuerySystemInformation.NTDLL ref: 6C24AFAB
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2351779938.000000006C245000.00000020.00000001.01000000.00000004.sdmp, Offset: 6C245000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_6c245000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID: InformationQuerySystem
                                            • String ID:
                                            • API String ID: 3562636166-0
                                            • Opcode ID: 3f2c443862db35631744f2030fb28e354e1c6b1b6ed87def8d73689c8171a188
                                            • Instruction ID: 97f35d1aec3ffe475ecbec20b418aaac485ed9c0a431a1cd77f06f94456a30d8
                                            • Opcode Fuzzy Hash: 3f2c443862db35631744f2030fb28e354e1c6b1b6ed87def8d73689c8171a188
                                            • Instruction Fuzzy Hash: 30E0923580426A9FC710DE49E8405E6B3E2EBDD323F558276899883154E6326D358A50
                                            Function 6A1A8A7D Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 5 6a1a8a7d-6a1a8a7e 6 6a1a8ac3-6a1a8c89 5->6 7 6a1a8a81-6a1a8a87 5->7 32 6a1a8c94-6a1a8d12 6->32 8 6a1a8a89 7->8 9 6a1a8a24-6a1a8a2b 7->9 10 6a1a8a8b-6a1a8a8e 8->10 11 6a1a8a23-6a1a8a3f 8->11 12 6a1a8a0a-6a1a8a22 9->12 13 6a1a8a4b 9->13 10->13 15 6a1a8a90-6a1a8ac1 10->15 16 6a1a8a4c 11->16 21 6a1a8a41-6a1a8a4a 11->21 12->11 13->16 15->6 19 6a1a8aa8-6a1a8ac1 16->19 20 6a1a8a4e 16->20 19->6 23 6a1a8a4f 20->23 21->13 23->23 25 6a1a8a51 23->25 26 6a1a8a19-6a1a8a22 25->26 27 6a1a8a53-6a1a8a5c 25->27 26->11 29 6a1a89f9-6a1a8a02 27->29 30 6a1a8a5e-6a1a8a63 27->30 29->26 30->19
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2231054622.000000006A190000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_6a190000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: A
                                            • API String ID: 0-3554254475
                                            • Opcode ID: 9b81c500c3047780df4a37fc713ec95137ec879e026cbf8b4b655aea83aab496
                                            • Instruction ID: afb909062f8607c67d05897783e1ee660692fa777fb330deefe133e9b3ee0b96
                                            • Opcode Fuzzy Hash: 9b81c500c3047780df4a37fc713ec95137ec879e026cbf8b4b655aea83aab496
                                            • Instruction Fuzzy Hash: E361EE365042918BD334DF2CD9449ABB3E2FFC8314F66C67DD28A47695EB365806CB42
                                            Function 6A1A8A3D Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 35 6a1a8a3d-6a1a8a3f 36 6a1a8a4c 35->36 37 6a1a8a41-6a1a8a4b 35->37 39 6a1a8aa8-6a1a8c4a 36->39 40 6a1a8a4e 36->40 37->36 53 6a1a8c51-6a1a8c89 39->53 41 6a1a8a4f 40->41 41->41 43 6a1a8a51 41->43 44 6a1a8a19-6a1a8a23 43->44 45 6a1a8a53-6a1a8a5c 43->45 44->35 48 6a1a89f9-6a1a8a02 45->48 49 6a1a8a5e-6a1a8a63 45->49 48->44 49->39 54 6a1a8c94-6a1a8d12 53->54
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2231054622.000000006A190000.00000020.00000001.01000000.00000004.sdmp, Offset: 6A190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_6a190000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: A
                                            • API String ID: 0-3554254475
                                            • Opcode ID: 8f9f22918c676fcc9ef3d535b1065b961dfba893e5b45c66e735fff8ee5402dd
                                            • Instruction ID: 3697c6fff2e96819167589ec65620d5829d78bbaa6b293d836acd8606fbff60a
                                            • Opcode Fuzzy Hash: 8f9f22918c676fcc9ef3d535b1065b961dfba893e5b45c66e735fff8ee5402dd
                                            • Instruction Fuzzy Hash: 8C61D0755082928FD324DB2CD8548AAB3E2FFC9314F65C6BEC1868B5D1EB365416CB42
                                            Function 6BFE664E Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 4 6bfe664e-6bfe665d RtlAllocateHeap
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2351779938.000000006BFE0000.00000020.00000001.01000000.00000004.sdmp, Offset: 6BFE0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_6bfe0000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: 251fc1b22fd9affc7c31d2ecd3d5d20f8d14ff00ad051e453edc9e5394cc9072
                                            • Instruction ID: bc85e6c7bd435ea002bb611a24f62009baee8ac13f52563992bf3e17713d5825
                                            • Opcode Fuzzy Hash: 251fc1b22fd9affc7c31d2ecd3d5d20f8d14ff00ad051e453edc9e5394cc9072
                                            • Instruction Fuzzy Hash: AEA022FC030002CBBA00F38ECC088A22A20F3C0B823003808B020F3288CF22CC83E800
                                            Function 6C24F023 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 57 6c24f023-6c24f027 58 6c24f02d-6c24f089 57->58
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2351779938.000000006C24D000.00000020.00000001.01000000.00000004.sdmp, Offset: 6C24D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_6c24d000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 97a6cb211c92f4271c8de463b81c582ffe4ad2ade1d9aae395345f9c458dd231
                                            • Instruction ID: 03e7b4214303dd3c08c532650938c054fde64a63893150679a26e771cc65d0ea
                                            • Opcode Fuzzy Hash: 97a6cb211c92f4271c8de463b81c582ffe4ad2ade1d9aae395345f9c458dd231
                                            • Instruction Fuzzy Hash: C1F09A316083088F8B00EF48A88095AB3E1FF98350F63847DAA5DC3602DB3559288B46

                                            Non-executed Functions

                                            Function 6C041229 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 59 6c041229-6c04141f
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2351779938.000000006C03E000.00000020.00000001.01000000.00000004.sdmp, Offset: 6C03E000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_6c03e000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $$e$h$x
                                            • API String ID: 0-2916337589
                                            • Opcode ID: f594eb5ffef8e0c41e82181664f7d6929469ef9c0ea9272630586ad1408e5266
                                            • Instruction ID: fd7663a65ec1a4acd544393bfe3dbc53c2cefa442dfeeebe86a6d106310c3a43
                                            • Opcode Fuzzy Hash: f594eb5ffef8e0c41e82181664f7d6929469ef9c0ea9272630586ad1408e5266
                                            • Instruction Fuzzy Hash: 124169312083478BD318EF24E5411EBB7E6FFD6310F618A3DC48247858EB39525ACB82
                                            Function 6C14C23A Relevance: .1, Instructions: 98COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.2351779938.000000006C14C000.00000020.00000001.01000000.00000004.sdmp, Offset: 6C14C000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_6c14c000_OperaWebPros.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 30b621805bd8cd679d32d0e574a000fcdbb3982b0595efaf813a2d0847d68ee4
                                            • Instruction ID: ed8e761c006eb9e48ecf90d57f77ab023c1128cb6e52f2b4fcacd95cbd7eb999
                                            • Opcode Fuzzy Hash: 30b621805bd8cd679d32d0e574a000fcdbb3982b0595efaf813a2d0847d68ee4
                                            • Instruction Fuzzy Hash: E0219A6106C57E4F931C9A6CA8845B033DAF795306B101B3EDDC7D30C6E924944386C1