Windows Analysis Report
jNeaezBuo8.exe

Overview

General Information

Sample name:	jNeaezBuo8.exe renamed because original name is a hash value
Original sample name:	dfe244414c8461175241ce54707eb6b6.exe
Analysis ID:	1429049
MD5:	dfe244414c8461175241ce54707eb6b6
SHA1:	1c94e583b7058d01dad42d56ef5ddf17b64b5778
SHA256:	6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e
Tags:	64exetrojan
Infos:

Detection

Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected Glupteba

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

Adds a directory exclusion to Windows Defender

Adds extensions / path to Windows Defender exclusion list (Registry)

Allocates memory in foreign processes

Creates HTML files with .exe extension (expired dropper behavior)

Disable Windows Defender real time protection (registry)

Disables UAC (registry)

Disables Windows Defender (deletes autostart)

Drops PE files to the document folder of the user

Drops script or batch files to the startup folder

Exclude list of file types from scheduled, custom, and real-time scanning

Found Tor onion address

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies Group Policy settings

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Searches for specific processes (likely to inject)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes many files with high entropy

Writes to foreign memory regions

Yara detected Generic Downloader

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates or modifies windows services

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Windows Defender Exclusions Added - Registry

Stores files to the Windows start menu directory

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Glupteba	Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.	No Attribution	http://resources.infosecinstitute.com/tdss4-part-1/ https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/ https://blog.google/technology/safety-security/new-action-combat-cyber-crime/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\0TU9HPJqFrjaMH2ab2eutLT6.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\0TU9HPJqFrjaMH2ab2eutLT6.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\0UUxNGvo5SBoNXrhVKNnInBZ.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\0UUxNGvo5SBoNXrhVKNnInBZ.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\1xM2kELmlEwT0ZdAXbxTFlAd.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\1xM2kELmlEwT0ZdAXbxTFlAd.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\25hX7FI1dURDmB4jtoeQIHHK.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\25hX7FI1dURDmB4jtoeQIHHK.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\4LMGAkDVX3uzZmWUtCmUEDjB.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\4LMGAkDVX3uzZmWUtCmUEDjB.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\5gwWc5VKcUZ5WZf8qmiy07XG.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\5gwWc5VKcUZ5WZf8qmiy07XG.exe	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Local\5tBur4jOD2uiOR7o9hLJxfah.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\5tBur4jOD2uiOR7o9hLJxfah.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\6MTG5E8zAXefmLFaBJ11MZso.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\6MTG5E8zAXefmLFaBJ11MZso.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\6gZRu0dCotZWu6pX7Uek4x9E.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\6gZRu0dCotZWu6pX7Uek4x9E.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\7eNXk0Z1HqnaBEGvizZr7Der.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\7eNXk0Z1HqnaBEGvizZr7Der.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\8b0TqH5XXd1pMSAXbXhjKZq0.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\8b0TqH5XXd1pMSAXbXhjKZq0.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\92kAaDTkDhRrMy0DmXOUqiGt.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\92kAaDTkDhRrMy0DmXOUqiGt.exe	Virustotal: Detection: 47%	Perma Link

Multi AV Scanner detection for submitted file

Source: jNeaezBuo8.exe	ReversingLabs: Detection: 18%
Source: jNeaezBuo8.exe	Virustotal: Detection: 28%			Perma Link

Yara detected Glupteba

Source: Yara match	File source: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.TXqT6X30DuHmvWeCAIdAJgkl.exe.4870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.oV9qcl4WOt6pr8Qw3ls1WbNr.exe.4790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.OOMSHFu8BfhOzlMYdVgLGKxh.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oV9qcl4WOt6pr8Qw3ls1WbNr.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OOMSHFu8BfhOzlMYdVgLGKxh.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TXqT6X30DuHmvWeCAIdAJgkl.exe PID: 7732, type: MEMORYSTR

Machine Learning detection for sample

Source: jNeaezBuo8.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	18_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	18_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	18_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	18_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	18_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03659707 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	18_2_03659707
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_036597A7 CryptUnprotectData,LocalAlloc,LocalFree,	18_2_036597A7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03656E77 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	18_2_03656E77
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365C1F7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	18_2_0365C1F7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03665807 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	18_2_03665807

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.3054104711.000001BCA9772000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jNeaezBuo8.exe PID: 3636, type: MEMORYSTR

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.TXqT6X30DuHmvWeCAIdAJgkl.exe.4870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.oV9qcl4WOt6pr8Qw3ls1WbNr.exe.4790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.OOMSHFu8BfhOzlMYdVgLGKxh.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oV9qcl4WOt6pr8Qw3ls1WbNr.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OOMSHFu8BfhOzlMYdVgLGKxh.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TXqT6X30DuHmvWeCAIdAJgkl.exe PID: 7732, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Unpacked PE file: 10.2.KB7dlYN3AfN1oeAtjoqEId5Q.exe.400000.0.unpack
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Unpacked PE file: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Unpacked PE file: 18.2.u4n8.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Unpacked PE file: 24.2.qVgCKtvfJNb4NfGV6kK2PcSn.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe	Unpacked PE file: 33.2.u5vc.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Unpacked PE file: 36.2.bOYJAXg8qqrEFblwExl79wvd.exe.400000.0.unpack

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115400624.log
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115404185.log
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115407543.log
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115432335.log

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe

File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\resources\opera_intro_extension\index.js.LICENSE.txt

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: jNeaezBuo8.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\yicukewiceyal\ge.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000003.2076217074.0000000003751000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000000.2074815643.000000000041B000.00000002.00000001.01000000.00000012.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000003.2166185579.0000000003821000.00000004.00000020.00020000.00000000.sdmp, u3a8.0.exe, 0000002F.00000000.2232630667.000000000041B000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: symsrv.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000005008000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000005078000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000C7A000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172221081.00000191A3C49000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188372013.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174987664.00000191A3C54000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2193224291.00000191A420C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224713944.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2215504283.00000191A3BE6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2222570320.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212637662.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DC:\yicukewiceyal\ge.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000003.2076217074.0000000003751000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000000.2074815643.000000000041B000.00000002.00000001.01000000.00000012.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000003.2166185579.0000000003821000.00000004.00000020.00020000.00000000.sdmp, u3a8.0.exe, 0000002F.00000000.2232630667.000000000041B000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: symsrv.pdbGCTL source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000005008000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000005078000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000C7A000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004F3B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 8>C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224713944.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2215504283.00000191A3BE6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2222570320.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212637662.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bivonare pif.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000000.2044586554.000000000041B000.00000002.00000001.01000000.00000008.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000000.2044626083.000000000041B000.00000002.00000001.01000000.00000009.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2229512304.00000191A4D81000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243509355.00000191A47D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2221228866.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212781209.00000191A3C33000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212312951.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3F08000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2231025618.00000191A446A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223860055.00000191A3F8A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224712272.00000191A50DB000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2226978323.00000191A457E000.00000004.00000020.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000000.2099968954.000000000041B000.00000002.00000001.01000000.00000017.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000000.2099955782.000000000041B000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: dbghelp.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Loader.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RC:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172221081.00000191A3C49000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188372013.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174987664.00000191A3C54000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2193224291.00000191A420C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054480906.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058903181.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063547278.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000002.2070475938.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2081878811.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090225681.0000000000907000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2177073279.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2176633575.00000191A3D63000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179182546.00000191A3EDE000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179501454.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2178658771.00000191A3B51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179182546.00000191A3DAF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2176852284.00000191A3C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\yixeki-ciguwan38_buyej\jobo.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170309443.00000191A3BE6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172221081.00000191A3C1E000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170431588.00000191A3BFE000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172136795.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Qg_Appv5.exe, 00000031.00000002.3153910263.00000252B15C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: .pdb.dbg source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004F3B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Qg_Appv5.exe, 00000031.00000002.3153910263.00000252B15C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: LNC:\noyofalivam\xeguhukur.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000000.2032754701.000000000041B000.00000002.00000001.01000000.00000007.sdmp, KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000002.2684591676.0000000001C98000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000002.2675239063.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000000.2090215768.000000000041B000.00000002.00000001.01000000.00000015.sdmp, bOYJAXg8qqrEFblwExl79wvd.exe, 00000024.00000003.2378051986.0000000001C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\noyofalivam\xeguhukur.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000000.2032754701.000000000041B000.00000002.00000001.01000000.00000007.sdmp, KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000002.2684591676.0000000001C98000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000002.2675239063.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000000.2090215768.000000000041B000.00000002.00000001.01000000.00000015.sdmp, bOYJAXg8qqrEFblwExl79wvd.exe, 00000024.00000003.2378051986.0000000001C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: GC:\bivonare pif.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000000.2044586554.000000000041B000.00000002.00000001.01000000.00000008.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000000.2044626083.000000000041B000.00000002.00000001.01000000.00000009.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2229512304.00000191A4D81000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243509355.00000191A47D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2221228866.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212781209.00000191A3C33000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212312951.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3F08000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2231025618.00000191A446A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223860055.00000191A3F8A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224712272.00000191A50DB000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2226978323.00000191A457E000.00000004.00000020.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000000.2099968954.000000000041B000.00000002.00000001.01000000.00000017.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000000.2099955782.000000000041B000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054480906.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058903181.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063547278.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000002.2070475938.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2081878811.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090225681.0000000000907000.00000002.00000001.01000000.0000000B.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0041D9E1 FindFirstFileExA,	10_2_0041D9E1
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036FDC48 FindFirstFileExA,	10_2_036FDC48
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	18_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	18_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	18_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	18_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	18_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	18_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_036627D7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_036627D7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365D7A7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_0365D7A7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03661DE7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	18_2_03661DE7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365DDC7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	18_2_0365DDC7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365B877 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	18_2_0365B877
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03662457 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	18_2_03662457
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365D427 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	18_2_0365D427
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03651827 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_03651827
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_036618B7 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	18_2_036618B7
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0041D9E1 FindFirstFileExA,	24_2_0041D9E1
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035BDC48 FindFirstFileExA,	24_2_035BDC48

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: JdfOLq5feVdmvpgs0LjMwnYk.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: YmxvYosqIkD3WGgGEugsGOqb.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 4bYBkn0K6Viq0whmT9GrOAT2.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: LN0iazJKg4ouG4Cdljww54MB.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: QWg34yKRBz8JiYYvcjdOCF7u.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: HEvON99qUwgGwLduKeIY9m3g.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 3CnPiCdeLO8CgUrP4UbQAnuT.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: AcCKWAY2rit0NCEEiGbFUfH5.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: g35TT2UeUHsZDKZA6nJGp8gx.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 23pMxNJ8xL8sMiQ1yqjR9K8c.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: AzH3HDqfE4sJkRPVWQxgTBGK.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: AGh4ngOKjyPTA1MhPSfxzINB.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: FsjNHv7s5NA6IdBlB5tiEDD0.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: NQrrqi323gUUzwpQ07ZaUtyD.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: c8NFJMLMDBLJHMdfk3CHDEaB.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: IIk86V9YiLn4TNjhwK5b88VE.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: LaMODovStv6L44RtxbPHwqiL.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: OqOO75a2wSIKDIG5IWuKGcqB.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: eC33Ifke2AUsZVZLjjOpDedu.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: ye3UEN0w9Mq4jWow0YS4nlkv.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 2SYOkWYTvk5LGtvF2lao7jGV.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: MRPKgRkTLDF1UQ6oHCHgO2XR.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: b2NFEf9NNOHrrOJOfbafhFbt.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: UvqvvueWaeqDSywUKVjveKLn.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: FuozRGJXp2ydaW23lwZTemn8.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: aiwK2P0Fl1cIEArMCknG8Xc8.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: TbSdEIYEOocU4YUObNRWEQIE.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 09gwdWVOD7BhA0wyn6sTP2SG.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: Eaym9owfXDILaNOlOfhlL9pL.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: j9tdOKRFunkFVu41ydteJnDU.exe.4.dr
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: EraiE9gAjnpZjbi1KlfzUCf5.exe.13.dr
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: pX6Lc7mgFLX2WPHvpZCKNPOu.exe.13.dr

Found Tor onion address

Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: s25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds maximum o
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackint
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.jNeaezBuo8.exe.1bca9796998.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.jNeaezBuo8.exe.1bca9793f58.1.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_00426504 __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

10_2_00426504

Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/legal/terms; and equals www.facebook.com (Facebook)
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: OS X; U; en) Presto/2.6.30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: internal error: handshake returned an error but is marked successfultls: received unexpected handshake message of type %T when waiting for %T equals www.facebook.com (Facebook)
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: o Debian/1.6-7Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916 equals www.facebook.com (Facebook)
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s.opera.com; font-src 'self' https://addons-static.operacdn.com https://addons-media.operacdn.com https://fonts.gstatic.com; frame-ancestors 'none'; connect-src 'self' https://addons-static.operacdn.com https://addons-media.operacdn.com https://sentry-relay.opera-api.com https://www.google-analytics.com https://www.opera.com https://forums.opera.com; style-src 'self' https://addons-static.operacdn.com https://addons-media.operacdn.com; script-src 'self' https://addons-static.operacdn.com https://addons-media.operacdn.com 'report-sample' https://www.google-analytics.com 'nonce-xxLwsFMkrM4FhVaH4M8w6g=='; worker-src 'none'; frame-src https://www.youtube.com https://player.vimeo.com https://vimeo.com; base-uri 'self'; default-src 'none'; media-src https://addons-media.operacdn.com/media/; report-uri https://sentry-relay.opera-api.com/api/170/security/?sentry_key=8718908c4bc211ed9f0d161f2d7f9658 equals www.youtube.com (Youtube)

Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.1
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/dl.php
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/dl.php5
Source: u4n8.0.exe, 00000012.00000002.3427320111.0000000001B3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/freebl3.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/freebl3.dll.
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/mozglue.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/mozglue.dllt
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/msvcp140.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/msvcp140.dllH6
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/nss3.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/nss3.dllf
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/softokn3.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/sqlite3.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/vcruntime140.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000002.3427480014.0000000001B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php(
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php-fulluser-l1-1-0
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php-minuser-l1-1-0
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php/
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php1S
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php3
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B98000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php4
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php4:
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php8
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php:
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php=
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpDW
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpL
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpY7
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpd
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000447000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpf3f5989aa6bdf817aeb843d5eb39on
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phph
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpk0
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpnts
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpo7
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B98000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpp
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phprosoft
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpt
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/Roaming
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/iles
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/dacha/rules.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/dacha/rules.exe9
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/dacha/rules.exej
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe6
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exeJ
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.php
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2458679256.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3039844827.000002088719C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000009.00000003.2895247821.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/PPCRLwssecurity-utility-1.0.xsd
Source: svchost.exe, 00000009.00000003.2780250440.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 00000009.00000003.2039496049.0000020886876000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2522138487.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000009.00000003.2047889657.0000020887842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_.com
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775760354.0000000004616000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775760354.0000000004616000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crtT
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.g
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775760354.0000000004616000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasi
Source: svchost.exe, 00000009.00000003.2895247821.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2905525051.000002088717C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.o
Source: svchost.exe, 00000009.00000003.2895247821.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2905525051.000002088717C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
Source: svchost.exe, 00000009.00000003.2895247821.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2411834420.0000020887107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2295748726.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243305563.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3229618503.0000020887183000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3236988340.000002088710F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2474359019.000002088715A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3252081679.0000020887179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2304708433.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2900600399.0000020887186000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2591916118.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2780250440.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2665508786.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243634334.0000020887183000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2869289552.000002088715B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3252081679.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2306925661.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243494859.000002088715B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAA
Source: svchost.exe, 00000009.00000003.2375801234.0000020887129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdkAGUA
Source: svchost.exe, 00000009.00000003.3252081679.0000020887179000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdmenfo
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdmzq6hT
Source: svchost.exe, 00000009.00000003.2039391226.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdng
Source: svchost.exe, 00000009.00000003.3243305563.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243634334.0000020887183000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 00000009.00000003.2039391226.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:
Source: svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili
Source: svchost.exe, 00000009.00000003.2039497387.00000208868D9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2665508786.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243634334.0000020887183000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2869289552.000002088715B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3252081679.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2306925661.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243494859.000002088715B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd1BFH
Source: svchost.exe, 00000009.00000003.2039391226.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd4/xml
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2375801234.0000020887129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2375801234.0000020887129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdQqsF
Source: svchost.exe, 00000009.00000003.3254355858.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3252081679.0000020887181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdskwp4
Source: svchost.exe, 00000009.00000003.2039391226.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=
Source: svchost.exe, 00000009.00000003.2780250440.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdxV
Source: svchost.exe, 00000009.00000003.2895247821.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2905525051.000002088717C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.sis-op
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://grub.org)Mozilla/5.0
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://invalidlog.txtlookup
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://localhost:3001api/prefs/?product=$1&version=$2..
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775760354.0000000004616000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775760354.0000000004616000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: svchost.exe, 00000009.00000003.2689744741.00000208868D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: svchost.exe, 00000009.00000003.3245420400.000002088710E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: svchost.exe, 00000009.00000003.2261901797.0000020887110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: svchost.exe, 00000009.00000003.3039718551.000002088713B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000009.00000003.2306430652.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3255060827.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2474359019.000002088715A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3252081679.0000020887179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3249535607.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2375801234.0000020887129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000009.00000003.3243305563.0000020887174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2869289552.000002088715B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243494859.000002088715B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000009.00000003.3255902406.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scmlns:ps
Source: svchost.exe, 00000009.00000003.2474359019.000002088715A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000009.00000003.2039496049.0000020886876000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3172994662.000002088715A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2522138487.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000009.00000003.2306430652.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3255060827.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3249535607.0000020887169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee
Source: svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
Source: svchost.exe, 00000009.00000003.2306430652.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0
Source: svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue1
Source: svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3255060827.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3249535607.0000020887169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2219522771.00000191A3984000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190858813.00000191A3984000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2210732609.00000191A3981000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.php
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.php%
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190858813.00000191A3984000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.phpZ
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.alexa.com/help/webmasters;
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.bloglines.com)Frame
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.everyfeed.com)explicit
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.google.c
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.google.com/bot.html)crypto/ecdh:
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2187313450.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2187567399.00000191A3C54000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2181888832.00000191A3B75000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2186291576.00000191A3D63000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2184802402.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2181585470.00000191A3B9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.innosetup.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775545985.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775545985.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.opera.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.opera.com0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775545985.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.opera.com;
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.spidersoft.com)
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://yandex.com/bots)Opera
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.000002088712C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025278032.0000020887156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025278032.0000020887156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024763674.0000020887157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons-extensions.operacdn.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons-media.operacdn.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons-media.operacdn.com/media/;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons-media.operacdn.com;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons-static.operacdn.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com/
Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://addons.opera.com/en/extensions/details/dify-cashback/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4fcN
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4ftes
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175505418.00000191A3B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099984461.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/$j
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099984461.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/geolocation/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099984461.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/geolocation/-
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/https://autoupdate.geo.opera.com/geolocation/OperaDesktophttps://cr
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099984461.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64Rgp~l
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64dgqIl
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exe.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exeU
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exexe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39A7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39A6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175968153.00000191A3B74000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209713411.00000191A3C96000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185148990.00000191A3C9C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2234917130.00000191A3B4F000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179694120.00000191A3B75000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209582608.00000191A3B49000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2235372401.00000191A3C9F000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179694120.00000191A3B92000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213030648.00000191A3C96000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2241682990.00000191A3C9F000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179873979.00000191A3B4D000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2178493071.00000191A3B74000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2241451746.00000191A3B4F000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2181888832.00000191A3B92000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2176852284.00000191A3C86000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2187567399.00000191A3C9C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190541286.00000191A3B4E000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2189730850.00000191A3B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/8b0be658-c958-47a3-96e4-fc8e5fe7c5dc/downloads/dc50f97b-477f-
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/M
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/W
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exe5
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exei
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exexe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org:80/superworkspacenb/gerge/downloads/grabber.exe
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blockchain.infoindex
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: https://blockstream.info/apiinva
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2210652331.00000191A3B66000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236015746.00000191A3B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/525403/setup.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2210652331.00000191A3B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/0459bbcc9007d32f68bcaa0a07733f6e/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175505418.00000191A3B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061312787.0000000039638000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://crashstats-collector.opera.com/collector/submit
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175505418.00000191A3B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175505418.00000191A3B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2305639230.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2118709026.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2305639230.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/oupdate=1&ni=1&stream=stable&utm_campaign=767__1
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/ppxBundleSipPutSignedDataMsgDllFuncNamed
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2305639230.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/r-sub.osp.opera.software/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2305639230.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/ttps://desktop-netinstaller-sub.osp.opera.softwa
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099984461.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryes
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dhttps://download5.operacdn.com/ftp/pub/opera/desktop/109.0.5097.45/win/Opera_109.0.5097.45_
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2305639230.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65593&autoupdate=1&ni=1&stream=stable&utm_campaign=767__
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000003.2412325574.0000000001197000.00000004.00000020.00020000.00000000.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000003.2412721082.000000000119E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65635&autoupdate=1&ni=1
Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000003.2412721082.000000000119E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65635&autoupdate=1&ni=1D
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65635&autoupdate=1&ni=1Hfpey
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download5.operacdn.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download5.operacdn.com/ftp/pub/.assistant/109.0.5097.45/Assistant_109.0.5097.45_Setup.exe
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download5.operacdn.com/ftp/pub/.assistant/109.0.5097.45/Assistant_109.0.5097.45_Setup.exeOex
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download5.operacdn.com/ftp/pub/opera/desktop/109.0.5097.45/win/Opera_109.0.5097.45_Autoupdat
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download5.operacdn.com/i
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download5.operacdn.com/uZBk
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2094130143.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/%
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2094130143.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/1L
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2094130143.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/6
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2094130143.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/ID
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/P
Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2094130143.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/api/v2/features?country=US&language=en-GB&uuid=f47cea43-6e45-40f8-a3
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2094130143.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/l
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://forums.opera.com;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://gamemaker.io
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://gamemaker.io)
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://gamemaker.io/en/education.
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://gamemaker.io/en/get.
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174987664.00000191A3C9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/0459bbcc9007d32f68bcaa0a07733f6e/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/0459bbcc9007d32f68bcaa0a07733f6e/7725eaa6592c80f8124e769b4e8a07f7.exeD
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174987664.00000191A3C9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/0459bbcc9007d32f68bcaa0a07733f6e/7725eaa6592c80f8124e769b4e8a07f7.execo1
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://help.instagram.com/581066165581870;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://help.opera.com/latest/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.vimeocdn.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.ytimg.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i1.wp.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://legal.opera.com/eula/computers
Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://legal.opera.com/privacy
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://legal.opera.com/privacy.
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://legal.opera.com/terms
Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://legal.opera.com/terms.
Source: svchost.exe, 00000009.00000003.2403567329.000002088788A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025278032.0000020887156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025278032.0000020887156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.000002088712C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000009.00000003.2689744741.00000208868D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000009.00000003.2025021670.0000020887127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025021670.0000020887127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000009.00000003.2025021670.0000020887127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.000002088712C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000009.00000003.2474359019.000002088715A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DgCYmYKtIadapRDwnjsVnAUYIBnjlxlzJkhAs6xX
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025278032.0000020887156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000009.00000003.2024268870.000002088712C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805021
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025278032.0000020887156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024763674.0000020887157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000009.00000003.2024499107.000002088715A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.000002088712C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000009.00000003.2047889657.0000020887842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000009.00000003.2047889657.0000020887842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfDebu
Source: svchost.exe, 00000009.00000003.2047889657.0000020887842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfet
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000009.00000003.2025021670.0000020887127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/ZA
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exeo
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224259048.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39C0000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeU
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeaws.comLMEM
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224259048.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeq
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://opera.com/privacy
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/8
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/lander/File_294/setup294.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/lander/File_294/setup294.exe.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/lander/File_294/setup294.exexe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/s
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs:80/lander/File_294/setup294.exe
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/V6VJsrV31https://yip.su/RNWPd.exe7https://iplogger.com/1djqU4
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://policies.google.com/terms;
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://redir.opera.com/uninstallsurvey/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000003.2412325574.0000000001197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://redir.opera.com/www.opera.com/firstrun/?utm_campaign=767__123&utm_medium=apb&utm_source=mkt&
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175505418.00000191A3B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175505418.00000191A3B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sentry-relay.opera-api.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sentry-relay.opera-api.com/api/170/security/?sentry_key=8718908c4bc211ed9f0d161f2d7f9658
Source: svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://sourcecode.opera.com
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236015746.00000191A3B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-20.userapi.com/c909618/u5294803/docs/d24/e47db7b4d28f/PL_Clients.bmp?extra=5iTdhq7jHtGb
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2234917130.00000191A3B5E000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2235413330.00000191A398C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236015746.00000191A3B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-21.userapi.com/c236331/u5294803/docs/d24/ef46b35f8bf1/imgdrive_2_1.bmp?extra=bkM2v2_xSr
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://telegram.org/tos/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe2
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exep
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exexe9
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39A7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39A6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe9
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://twitter.com/en/tos;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vimeo.com;
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2219522771.00000191A3984000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2210732609.00000191A3981000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2241988765.00000191A3BAD000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2234917130.00000191A3B5E000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2235413330.00000191A398C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236015746.00000191A3B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/browser_reports?dest=default_reports
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224259048.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurK
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2239113774.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243304490.00000191A3974000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236540684.00000191A3976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTKnt3
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2210955229.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243304490.00000191A3974000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236540684.00000191A3976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668627934?hash=KOcSmbd2hjdTG4DLhdJgoCSrHOpCJeuTNRte86dnj0k&dl=iwW1iFTFzY3z
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2239113774.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668769608?hash=EJK4IigrO9hmPOkFxXqpLliN8ksP1vifJqKZbhFKHvw&dl=HyyWNdLGIElg
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243304490.00000191A3974000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236540684.00000191A3976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668771194?hash=7dzZFNgNMhFnf8UKhZ88SSJWzznhZJIEKWOI1nQNlbw&dl=jwd31UuZgmzf
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2210955229.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08Gc
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTK
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668627934?hash=KOcSmbd2hjdTG4DLhdJgoCSrHOpCJeuTNRte86dnj0k&dl=iwW1iFTFz
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668652542?hash=KlAQZ4zXtzzV5eLSZ1KaXKdCOpfsWxOfH5GyV92XrPL&dl=yPhjzrub8
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668769608?hash=EJK4IigrO9hmPOkFxXqpLliN8ksP1vifJqKZbhFKHvw&dl=HyyWNdLGI
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668771194?hash=7dzZFNgNMhFnf8UKhZ88SSJWzznhZJIEKWOI1nQNlbw&dl=jwd31UuZg
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b0
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gravatar.com
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp, u4n8.0.exe, 00000012.00000002.3425878817.0000000000447000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp, u4n8.0.exe, 00000012.00000002.3425878817.0000000000447000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp, u4n8.0.exe, 00000012.00000002.3425878817.0000000000447000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp, u4n8.0.exe, 00000012.00000002.3425878817.0000000000447000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp, u4n8.0.exe, 00000012.00000002.3425878817.0000000000447000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://www.opera.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://www.opera.com..
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://www.opera.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://www.opera.com/download/
Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://www.opera.com/privacy
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://www.whatsapp.com/legal;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.TXqT6X30DuHmvWeCAIdAJgkl.exe.4870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.oV9qcl4WOt6pr8Qw3ls1WbNr.exe.4790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.OOMSHFu8BfhOzlMYdVgLGKxh.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oV9qcl4WOt6pr8Qw3ls1WbNr.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OOMSHFu8BfhOzlMYdVgLGKxh.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TXqT6X30DuHmvWeCAIdAJgkl.exe PID: 7732, type: MEMORYSTR

Drops certificate files (DER)

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\5gwWc5VKcUZ5WZf8qmiy07XG.exe entropy: 7.99614337359	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe entropy: 7.99614337359	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\060[1].exe entropy: 7.99870917991	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\FXcxjnqlIBGnDayd_pHBiVEI.exe entropy: 7.99870917991	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\setup[1].exe entropy: 7.99617939742	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\hJY1ofwqBcbhUe2B304qYJQu.exe entropy: 7.99617939742	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\grabber[1].exe entropy: 7.99564568557	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\DHD6dwSMrsUYWbjq1ydcbpSW.exe entropy: 7.99564568557	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Assistant_109.0.5097.45_Setup[1].exe entropy: 7.99454240908	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\opera_package entropy: 7.99999275562	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\8025ea6a524d24d2ed329f6401df172b[1].crx entropy: 7.99940675387	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Opera_109.0.5097.45_Autoupdate_x64[1].exe entropy: 7.99999275562	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe (copy) entropy: 7.99454240908	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\be76331b95dfc399cd776d2fc68021e0db03cc4f.crx (copy) entropy: 7.99940675387	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\resources\standard_themes\default_dark_theme.zip entropy: 7.99623374097	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\resources\standard_themes\default_theme.zip entropy: 7.9940176927	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\assistant_package entropy: 7.99592813846	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154331\opera_package entropy: 7.99999275562	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Opera_109.0.5097.45_Autoupdate_x64[1].exe entropy: 7.99999275562	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	File created: C:\Users\user\AppData\Local\Temp\d73a64c2 entropy: 7.99726702259	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000018.00000002.2651474821.0000000001D1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000024.00000002.3019572306.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000012.00000002.3427909101.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000021.00000002.3624894464.0000000001C4F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.3983892804.0000000003F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000002.2688026524.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000021.00000002.3624736344.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2662822326.0000000001C5E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.3427434414.0000000001B4F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000024.00000002.2945913024.0000000001C1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000002.2734686268.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen

PE file contains section with special chars

Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R

Creates files inside the system directory

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Windows\System32\GroupPolicy\gpt.ini
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Windows\System32\GroupPolicy\Machine
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Windows\System32\GroupPolicy\User
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Detected potential crypto function

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F1C1EA	0_2_00007FF848F1C1EA
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F2530A	0_2_00007FF848F2530A
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F14B20	0_2_00007FF848F14B20
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F12B90	0_2_00007FF848F12B90
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F14BD0	0_2_00007FF848F14BD0
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F1C661	0_2_00007FF848F1C661
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F19898	0_2_00007FF848F19898
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F198A0	0_2_00007FF848F198A0
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F20C8A	0_2_00007FF848F20C8A
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0041B84B	10_2_0041B84B
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040BA80	10_2_0040BA80
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040C2AC	10_2_0040C2AC
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_004123A0	10_2_004123A0
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040F441	10_2_0040F441
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040BD2A	10_2_0040BD2A
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0042153C	10_2_0042153C
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040C6A0	10_2_0040C6A0
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_00408761	10_2_00408761
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0041BF69	10_2_0041BF69
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040B70E	10_2_0040B70E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040BFF1	10_2_0040BFF1
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EC258	10_2_036EC258
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036FBAB2	10_2_036FBAB2
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EB975	10_2_036EB975
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EC907	10_2_036EC907
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E89C8	10_2_036E89C8
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EBF91	10_2_036EBF91
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036F2607	10_2_036F2607
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EF6A8	10_2_036EF6A8
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EC513	10_2_036EC513
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EBCE7	10_2_036EBCE7
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0041B84B	24_2_0041B84B
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040BA80	24_2_0040BA80
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040C2AC	24_2_0040C2AC
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_004123A0	24_2_004123A0
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040F441	24_2_0040F441
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040BD2A	24_2_0040BD2A
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0042153C	24_2_0042153C
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040C6A0	24_2_0040C6A0
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_00408761	24_2_00408761
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0041BF69	24_2_0041BF69
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040B70E	24_2_0040B70E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040BFF1	24_2_0040BFF1
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035AC258	24_2_035AC258
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035BBAB2	24_2_035BBAB2
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035AB975	24_2_035AB975
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035AC907	24_2_035AC907
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035A89C8	24_2_035A89C8
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035ABF91	24_2_035ABF91
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035B2607	24_2_035B2607
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035AF6A8	24_2_035AF6A8
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035AC513	24_2_035AC513
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035ABCE7	24_2_035ABCE7

Found potential string decryption / allocating functions

Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 004275A4 appears 43 times
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 035A1D46 appears 39 times
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 035C780B appears 43 times
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 035A9F27 appears 48 times
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 035A1BE3 appears 40 times
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 035A36F8 appears 130 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 004275A4 appears 43 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 036E1D46 appears 39 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 036E36F8 appears 130 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 0370780B appears 43 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 036E9F27 appears 48 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 036E1BE3 appears 40 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: String function: 004043B0 appears 316 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 3636 -ip 3636

PE / OLE file has an invalid certificate

Source: jNeaezBuo8.exe

Static PE information: invalid certificate

PE file contains executable resources (Code or Archives)

Source: OxxNs5ZxnbIXbeNW29miCVdc.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: fqT8tD2oUyudVPlyITmN6DQI.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: UZUmS3UT5nPu2Y8UellaIFKd.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: eifmHtaYRvEDUaaleUykWOb3.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: DowpWy0co4Mzz9d9uodrpoCS.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: nMH85SeKZvjiaQVYVzZz29h4.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: OhUCrCHnpMj4vCBH2WFCAm31.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: clnVTfVHLSH8ULUPWfOeVu5Z.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: Kug8B5xZ6LzxYK18JAPEOCZZ.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows

PE file contains more sections than normal

Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: Number of sections : 15 > 10
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: Number of sections : 15 > 10
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: Number of sections : 15 > 10
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: Number of sections : 15 > 10
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: Number of sections : 15 > 10
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: Number of sections : 15 > 10

PE file does not import any functions

Source: jNeaezBuo8.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9772000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNew.exe" vs jNeaezBuo8.exe
Source: jNeaezBuo8.exe, 00000000.00000000.1992481945.000001BCA7BA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEluluvepibikaci< vs jNeaezBuo8.exe
Source: jNeaezBuo8.exe, 00000000.00000002.3090187647.000001BCB986F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAqesoladodaru6 vs jNeaezBuo8.exe
Source: jNeaezBuo8.exe, 00000000.00000002.3108446927.000001BCC1EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAqesoladodaru6 vs jNeaezBuo8.exe

Yara signature match

Source: 00000018.00000002.2651474821.0000000001D1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000024.00000002.3019572306.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000012.00000002.3427909101.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000021.00000002.3624894464.0000000001C4F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.3983892804.0000000003F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000002.2688026524.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000021.00000002.3624736344.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2662822326.0000000001C5E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.3427434414.0000000001B4F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000024.00000002.2945913024.0000000001C1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000002.2734686268.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: jNeaezBuo8.exe, LowLevelSpinWaiterEventAttribute.cs

Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@340/638@0/53

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_01C5F756 CreateToolhelp32Snapshot,Module32First,

10_2_01C5F756

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

File created: C:\Users\user\AppData\Local\JdfOLq5feVdmvpgs0LjMwnYk.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Opera/Installer/C:/Users/user/AppData/Local/Programs/Opera
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3636
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_15

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fp2ibe2i.ahr.ps1

Jump to behavior

Source: Yara match	File source: 0000000A.00000003.2496286293.00000000043FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2377448604.0000000004537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2496236521.0000000004407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u3a8.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5vc.1.exe, type: DROPPED

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6sF6ZIbUf4h0chyjX8GoXwd.bat" "

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: one	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: one	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: two	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: two	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: three	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: three	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: four	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: four	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: five	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: five	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: six	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: six	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: seven	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: seven	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: eight	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: eight	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: nine	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: nine	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: ten	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: ten	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: one	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: two	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: three	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: four	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: five	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: six	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: seven	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: eight	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: nine	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: ten	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.90	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.90	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.90	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Installed	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Installed	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.59	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.59	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /syncUpd.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /syncUpd.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.59	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /syncUpd.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /1/Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /1/Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /1/Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /BroomSetup.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /BroomSetup.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /BroomSetup.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: @	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: one	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: one	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: two	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: two	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: five	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: five	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: seven	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: seven	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: eight	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: eight	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: nine	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: nine	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: ten	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: ten	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.90	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.90	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.90	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Installed	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Installed	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.59	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.59	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /syncUpd.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /syncUpd.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.59	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /syncUpd.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /1/Qg_Appv5.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /1/Qg_Appv5.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /1/Qg_Appv5.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Qg_Appv5.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Qg_Appv5.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /BroomSetup.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /BroomSetup.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /BroomSetup.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: one	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: one	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: two	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: two	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: three	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: three	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: four	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: four	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: five	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: five	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: six	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: six	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: seven	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: seven	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: eight	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: eight	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: nine	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: nine	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: ten	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: ten	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: one	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: two	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: three	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: four	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: five	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: six	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: seven	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: eight	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: nine	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: ten	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.90	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.90	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.90	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Installed	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Installed	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.59	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.59	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /syncUpd.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /syncUpd.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.59	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /syncUpd.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /1/Qg_Appv5.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /1/Qg_Appv5.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /1/Qg_Appv5.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Qg_Appv5.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Qg_Appv5.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /BroomSetup.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /BroomSetup.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /BroomSetup.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: @	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: one	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: one	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: two	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: two	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: five	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: five	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: seven	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: seven	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: eight	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: eight	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: nine	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: nine	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: ten	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: ten	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.90	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.90	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.90	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Installed	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Installed	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.59	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.59	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /syncUpd.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /syncUpd.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.59	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /syncUpd.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /1/Qg_Appv5.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /1/Qg_Appv5.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /1/Qg_Appv5.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Qg_Appv5.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Qg_Appv5.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /BroomSetup.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /BroomSetup.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /BroomSetup.exe	24_2_035C4DA5

Source: jNeaezBuo8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u4n8.0.exe, 00000012.00000003.2216407145.000000002223E000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000003.2245036103.0000000001C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: jNeaezBuo8.exe	ReversingLabs: Detection: 18%
Source: jNeaezBuo8.exe	Virustotal: Detection: 28%

Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: inateProcessTor current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: .654WDG_Validator/1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

File read: C:\Users\user\Desktop\jNeaezBuo8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jNeaezBuo8.exe "C:\Users\user\Desktop\jNeaezBuo8.exe"
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jNeaezBuo8.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 3636 -ip 3636
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3636 -s 1360
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe "C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe "C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe "C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe" --silent --allusers=0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x258,0x6c5be1d0,0x6c5be1dc,0x6c5be1e8
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe" --version
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Process created: C:\Users\user\AppData\Local\Temp\u4n8.0.exe "C:\Users\user\AppData\Local\Temp\u4n8.0.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5480 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240420115402" --session-guid=7c8aa1aa-7a32-47df-9a77-320b42f4c511 --server-tracking-blob="YjU1MjY3ZTRkZDgxZTBkNTJhNmUwZWY1OWIyZGNlZTljZjU0OTA1ZTA2Yzc0MGEwZGRjN2NiM2U1NjA4MjkxMzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNjA2ODM4LjA0NTIiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMzUyYWJiN2YtMWFlNC00NDNlLTgxNWEtYzU1NDc1YTYyOGE3In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C05000000000000
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b94e1d0,0x6b94e1dc,0x6b94e1e8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe "C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe "C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe "C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe "C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe "C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe"
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x2ac,0x2bc,0x6afce1d0,0x6afce1dc,0x6afce1e8
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe" --version
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe "C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe"
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: C:\Users\user\AppData\Local\Temp\u5vc.0.exe "C:\Users\user\AppData\Local\Temp\u5vc.0.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6sF6ZIbUf4h0chyjX8GoXwd.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe "C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe "C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe"
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe "C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe "C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe"
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe "C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe" --silent --allusers=0
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Process created: C:\Users\user\AppData\Local\Temp\u3a8.0.exe "C:\Users\user\AppData\Local\Temp\u3a8.0.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe "C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe"
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe"
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jNeaezBuo8.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe "C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe "C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe "C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe "C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe "C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe "C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe "C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe "C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe "C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe "C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe "C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe "C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe "C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe "C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6sF6ZIbUf4h0chyjX8GoXwd.bat" "	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 3636 -ip 3636
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3636 -s 1360
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Process created: C:\Users\user\AppData\Local\Temp\u4n8.0.exe "C:\Users\user\AppData\Local\Temp\u4n8.0.exe"
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x258,0x6c5be1d0,0x6c5be1dc,0x6c5be1e8
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe" --version
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5480 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240420115402" --session-guid=7c8aa1aa-7a32-47df-9a77-320b42f4c511 --server-tracking-blob="YjU1MjY3ZTRkZDgxZTBkNTJhNmUwZWY1OWIyZGNlZTljZjU0OTA1ZTA2Yzc0MGEwZGRjN2NiM2U1NjA4MjkxMzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNjA2ODM4LjA0NTIiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMzUyYWJiN2YtMWFlNC00NDNlLTgxNWEtYzU1NDc1YTYyOGE3In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C05000000000000
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b94e1d0,0x6b94e1dc,0x6b94e1e8
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: C:\Users\user\AppData\Local\Temp\u5vc.0.exe "C:\Users\user\AppData\Local\Temp\u5vc.0.exe"
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe"
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x2ac,0x2bc,0x6afce1d0,0x6afce1dc,0x6afce1e8
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe" --version
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe "C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Process created: C:\Users\user\AppData\Local\Temp\u3a8.0.exe "C:\Users\user\AppData\Local\Temp\u3a8.0.exe"
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: jNeaezBuo8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: jNeaezBuo8.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: jNeaezBuo8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\yicukewiceyal\ge.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000003.2076217074.0000000003751000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000000.2074815643.000000000041B000.00000002.00000001.01000000.00000012.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000003.2166185579.0000000003821000.00000004.00000020.00020000.00000000.sdmp, u3a8.0.exe, 0000002F.00000000.2232630667.000000000041B000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: symsrv.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000005008000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000005078000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000C7A000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172221081.00000191A3C49000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188372013.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174987664.00000191A3C54000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2193224291.00000191A420C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224713944.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2215504283.00000191A3BE6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2222570320.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212637662.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DC:\yicukewiceyal\ge.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000003.2076217074.0000000003751000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000000.2074815643.000000000041B000.00000002.00000001.01000000.00000012.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000003.2166185579.0000000003821000.00000004.00000020.00020000.00000000.sdmp, u3a8.0.exe, 0000002F.00000000.2232630667.000000000041B000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: symsrv.pdbGCTL source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000005008000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000005078000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000C7A000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004F3B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 8>C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224713944.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2215504283.00000191A3BE6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2222570320.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212637662.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bivonare pif.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000000.2044586554.000000000041B000.00000002.00000001.01000000.00000008.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000000.2044626083.000000000041B000.00000002.00000001.01000000.00000009.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2229512304.00000191A4D81000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243509355.00000191A47D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2221228866.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212781209.00000191A3C33000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212312951.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3F08000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2231025618.00000191A446A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223860055.00000191A3F8A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224712272.00000191A50DB000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2226978323.00000191A457E000.00000004.00000020.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000000.2099968954.000000000041B000.00000002.00000001.01000000.00000017.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000000.2099955782.000000000041B000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: dbghelp.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Loader.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RC:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172221081.00000191A3C49000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188372013.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174987664.00000191A3C54000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2193224291.00000191A420C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054480906.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058903181.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063547278.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000002.2070475938.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2081878811.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090225681.0000000000907000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2177073279.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2176633575.00000191A3D63000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179182546.00000191A3EDE000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179501454.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2178658771.00000191A3B51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179182546.00000191A3DAF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2176852284.00000191A3C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\yixeki-ciguwan38_buyej\jobo.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170309443.00000191A3BE6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172221081.00000191A3C1E000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170431588.00000191A3BFE000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172136795.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Qg_Appv5.exe, 00000031.00000002.3153910263.00000252B15C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: .pdb.dbg source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004F3B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Qg_Appv5.exe, 00000031.00000002.3153910263.00000252B15C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: LNC:\noyofalivam\xeguhukur.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000000.2032754701.000000000041B000.00000002.00000001.01000000.00000007.sdmp, KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000002.2684591676.0000000001C98000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000002.2675239063.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000000.2090215768.000000000041B000.00000002.00000001.01000000.00000015.sdmp, bOYJAXg8qqrEFblwExl79wvd.exe, 00000024.00000003.2378051986.0000000001C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\noyofalivam\xeguhukur.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000000.2032754701.000000000041B000.00000002.00000001.01000000.00000007.sdmp, KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000002.2684591676.0000000001C98000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000002.2675239063.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000000.2090215768.000000000041B000.00000002.00000001.01000000.00000015.sdmp, bOYJAXg8qqrEFblwExl79wvd.exe, 00000024.00000003.2378051986.0000000001C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: GC:\bivonare pif.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000000.2044586554.000000000041B000.00000002.00000001.01000000.00000008.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000000.2044626083.000000000041B000.00000002.00000001.01000000.00000009.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2229512304.00000191A4D81000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243509355.00000191A47D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2221228866.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212781209.00000191A3C33000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212312951.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3F08000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2231025618.00000191A446A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223860055.00000191A3F8A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224712272.00000191A50DB000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2226978323.00000191A457E000.00000004.00000020.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000000.2099968954.000000000041B000.00000002.00000001.01000000.00000017.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000000.2099955782.000000000041B000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054480906.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058903181.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063547278.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000002.2070475938.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2081878811.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090225681.0000000000907000.00000002.00000001.01000000.0000000B.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Unpacked PE file: 10.2.KB7dlYN3AfN1oeAtjoqEId5Q.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Unpacked PE file: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Unpacked PE file: 18.2.u4n8.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Unpacked PE file: 24.2.qVgCKtvfJNb4NfGV6kK2PcSn.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe	Unpacked PE file: 33.2.u5vc.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Unpacked PE file: 36.2.bOYJAXg8qqrEFblwExl79wvd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Unpacked PE file: 10.2.KB7dlYN3AfN1oeAtjoqEId5Q.exe.400000.0.unpack
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Unpacked PE file: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Unpacked PE file: 18.2.u4n8.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Unpacked PE file: 24.2.qVgCKtvfJNb4NfGV6kK2PcSn.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe	Unpacked PE file: 33.2.u5vc.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Unpacked PE file: 36.2.bOYJAXg8qqrEFblwExl79wvd.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Code function: 18_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_00416240

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp(R

PE file contains an invalid checksum

Source: UZUmS3UT5nPu2Y8UellaIFKd.exe.4.dr	Static PE information: real checksum: 0x52abdf should be: 0x52acd4
Source: l8khAE6y8GNl60eaPnDT5SpN.exe.4.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ff8
Source: 0UUxNGvo5SBoNXrhVKNnInBZ.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: Rq807joaUQGWAAeRQkX7gdMO.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: qyNU89bNsoji84PSVfnILP6f.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: clnVTfVHLSH8ULUPWfOeVu5Z.exe.4.dr	Static PE information: real checksum: 0x526d1d should be: 0x526e12
Source: KWuM8Zwy1b2PQLlilGvrKdff.exe.4.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ff8
Source: fqT8tD2oUyudVPlyITmN6DQI.exe.4.dr	Static PE information: real checksum: 0x52903c should be: 0x529131
Source: DowpWy0co4Mzz9d9uodrpoCS.exe.4.dr	Static PE information: real checksum: 0x529433 should be: 0x529528
Source: wZzYmE8Nz9QCUHZqOt6rEm24.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: TVY35mdJttfYOhKcrk6q1H2A.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: OxxNs5ZxnbIXbeNW29miCVdc.exe.4.dr	Static PE information: real checksum: 0x52903c should be: 0x529131
Source: OhUCrCHnpMj4vCBH2WFCAm31.exe.4.dr	Static PE information: real checksum: 0x52c866 should be: 0x52c95b
Source: dJfVoxt31cguly6snQSXBF2t.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: fShSvC1wFBBqHPdIyqjcnjYY.exe.4.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ff8
Source: pilT6nsQGl5Pdedeqgr7mf1I.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: KJG8FLUALUrjvRwyv2uaCgOy.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: MADz7xDiCV625yCpzFYe2ZQn.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: ySPTaGUdAgM6iUd6OElZjJ8a.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: Kug8B5xZ6LzxYK18JAPEOCZZ.exe.4.dr	Static PE information: real checksum: 0x52e8d6 should be: 0x52e9cb
Source: nQUJxFtydtfiOBHb5xbWutY1.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: eifmHtaYRvEDUaaleUykWOb3.exe.4.dr	Static PE information: real checksum: 0x52abdf should be: 0x52acd4
Source: bEJbb1QJjCxT3KqTjSpz7GI2.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: sDS4xDJRJNjL2aJQctE1V3M1.exe.4.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ff8
Source: f73ha0P54IB5rPcLdHiltLCQ.exe.4.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ff8
Source: nMH85SeKZvjiaQVYVzZz29h4.exe.4.dr	Static PE information: real checksum: 0x52c866 should be: 0x52c95b
Source: zKW678DCl3v5blnmCqpv2mbr.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: rO91t03U6QGPgKg7iOh3SEVF.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: SRqTzGHU8zgpHkS9pdxLpEbq.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: Jdk6KxIklqc8FORT2NpB78NQ.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: NUQ7j4iKPUQAfFc6iBFXCw4X.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: 1pwXik5TSXPHdUS8qk7dav8p.exe.4.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ff8

PE file contains sections with non-standard names

Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: _RDATA
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .themida
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: _RDATA
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .themida
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: _RDATA
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .themida
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: _RDATA
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .themida
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: _RDATA
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .themida
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: _RDATA
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .themida
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F157DB push 35FC458Bh; iretd	0_2_00007FF848F157E8
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848FF026B push esp; retf 4810h	0_2_00007FF848FF0312
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848FF1C30 push eax; retf	0_2_00007FF848FF1C31
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0042D355 push esi; ret	10_2_0042D35E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_00409D06 push ecx; ret	10_2_00409D19
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_004275A4 push eax; ret	10_2_004275C2
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_004097B6 push ecx; ret	10_2_004097C9
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_01C63905 pushad ; retf	10_2_01C6390C
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_01C620E0 push ecx; iretd	10_2_01C620F2
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_01C61056 pushad ; retf	10_2_01C61057
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_01C635EF push 2B991403h; ret	10_2_01C635F6
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_01C63F14 push 00000061h; retf	10_2_01C63F1C
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036FCB2D push esp; retf	10_2_036FCB2E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E9A1D push ecx; ret	10_2_036E9A30
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0370780B push eax; ret	10_2_03707829
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E9F6D push ecx; ret	10_2_036E9F80
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036FC52F push esp; retf	10_2_036FC537
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_03701CA2 push dword ptr [esp+ecx-75h]; iretd	10_2_03701CA6
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Code function: 12_2_03A0DD61 pushad ; ret	12_2_03A0DD88
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Code function: 12_2_03A0B16B pushfd ; ret	12_2_03A0B1B3
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Code function: 12_2_03A0DC85 pushad ; ret	12_2_03A0DC97
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004176C5 push ecx; ret	18_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0366792C push ecx; ret	18_2_0366793F
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0042D355 push esi; ret	24_2_0042D35E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_00409D06 push ecx; ret	24_2_00409D19
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_004275A4 push eax; ret	24_2_004275C2
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_004097B6 push ecx; ret	24_2_004097C9
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_01D23905 pushad ; retf	24_2_01D2390C
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_01D220E0 push ecx; iretd	24_2_01D220F2
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_01D21056 pushad ; retf	24_2_01D21057
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_01D25378 push ebp; iretd	24_2_01D253AB

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\tP5pTf0jS1kLhyjqmBv_VrrP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\H5IdNZJmWFbmVKRjrzSzq_VU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\N6gs4eA7eEYDf77vFjOtaIRK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\rxKdbi1mxdhb3gQnRtcL21w6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\fs8UvdH7aqxSxTI4lJXRD5UK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\DHD6dwSMrsUYWbjq1ydcbpSW.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\FXcxjnqlIBGnDayd_pHBiVEI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\OgqrEizuQKrGmbhIuvrJL0FK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\YTPkrsvhjPQ50b0uZLG5k6S0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\j0muh7S3p0fFGFbAmRNzniXR.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\ISydF4SkTNvMTsMw0fHGm6cg.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\IFuSUUxv5JW4MS2vMljuonta.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\kh9bXd0Y6gx6bLu88nVllBRp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\kX1qCrGX0yxVsyVKBPTFPIvC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\hJY1ofwqBcbhUe2B304qYJQu.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\RDyYTnMDkCW8uIAVGFHTmr8b.exe	Jump to dropped file

Installs new ROOT certificates

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\5tBur4jOD2uiOR7o9hLJxfah.exe	Jump to dropped file
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954283907356.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954036647596.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\tszCDBRJQFC2WelpK025uY5p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\NUQ7j4iKPUQAfFc6iBFXCw4X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\l8khAE6y8GNl60eaPnDT5SpN.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\DHD6dwSMrsUYWbjq1ydcbpSW.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\dxil.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\MADz7xDiCV625yCpzFYe2ZQn.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\setup294[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_gx_splash.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	File created: C:\Users\user\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\mBjvNDlP0V4hbaJfvUuppMZT.exe	Jump to dropped file
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\G3hPwh2bgpCY2yLq2Ud9bMvP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	File created: C:\Users\user\AppData\Local\Temp\u4n8.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	File created: C:\Users\user\AppData\Local\Temp\u3a8.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\060[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\additional_file0.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\jVXD2wsYEk1ucd6lZL7tqiNC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\osSY4XCAlbCksdADVILcQqBm.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_crashreporter.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\JHNCg0JIVGbBMVNGHXYgXCki.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\kh9bXd0Y6gx6bLu88nVllBRp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\6Y7L0R6heobmi5sU8d9LNLQB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\timeSync[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\RzN0r1s56Y6tbSxGu8g4RTFC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\sDS4xDJRJNjL2aJQctE1V3M1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\6GMlnWvHlwAR5CXlzaFNIYDK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\G2JymbeYK9WxtsgltLBhWrbm.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\mojo_core.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe	Jump to dropped file
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	File created: C:\Users\user\AppData\Local\Temp\u5vc.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\fs8UvdH7aqxSxTI4lJXRD5UK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\dOSiiQGceGabOSjNPZy6ALVs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\appidpolicyconverter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\TVY35mdJttfYOhKcrk6q1H2A.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\XWFLQREP5fHqBpXFnsTti9t6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954055427752.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	File created: C:\Users\user\AppData\Local\Temp\Zqicom_beta\relay.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154331\opera_package	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\SRqTzGHU8zgpHkS9pdxLpEbq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\SWxWPnF0GcSxZboClYn5fyJs.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954004632668.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\dzwthTZuxWv93PkbTJg61TP8.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\OgqrEizuQKrGmbhIuvrJL0FK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\92kAaDTkDhRrMy0DmXOUqiGt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\mJELMFYiIOwSEHw1MspR0tMC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Default15_team[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\O3m41s0wSD5zoSObpW4Psf6J.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\pilT6nsQGl5Pdedeqgr7mf1I.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\nQUJxFtydtfiOBHb5xbWutY1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\ISydF4SkTNvMTsMw0fHGm6cg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\c7hxt59BnCQTVxfSbyanvm1E.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\8b0TqH5XXd1pMSAXbXhjKZq0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\installer_helper_64.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\launcher.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\wZzYmE8Nz9QCUHZqOt6rEm24.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\euHMzz273NklU7mgrgUCkRrG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\2G9S5uF27Bt9r9VWuXwyuqad.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\9yhECDruaeRmxhVk9M6BHu8V.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\dxcompiler.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Kug8B5xZ6LzxYK18JAPEOCZZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\f4XpsIuRBAfmIOjFXF1VdkNO.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\6462c272[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\w1LOX3XeHuEGT87oLxL6t3id.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\OhUCrCHnpMj4vCBH2WFCAm31.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\5gwWc5VKcUZ5WZf8qmiy07XG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\aA7bmff6TvQfMGlBzmIXCQu1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\8zhaIaqIg3EHTANT2VC891Qh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\AtTxCqcCWwN4uzHaU4nBaNLb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\LHlQIk8n23elOoT83aidvHV7.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954066687816.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\nvTtpLaPwtBzhl7WfFclESwd.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_autoupdate.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	File created: C:\Users\user\AppData\Local\Temp\u3a8.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\yvABChPqbhjOl64NqwRk76px.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\KJG8FLUALUrjvRwyv2uaCgOy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\9qXSmkhMS5UldZUa63d4PtMK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\kX1qCrGX0yxVsyVKBPTFPIvC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\tP5pTf0jS1kLhyjqmBv_VrrP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ullDNdRRARKjlRS7GvwrVXnW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\fqT8tD2oUyudVPlyITmN6DQI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\oAOIj59FdDP9wDnCTclqbXA7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\6qpTYgoDTNVfF48L3aUOwMbO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\6wWkqIVwxEWYdqEdisq9REAe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\BlA2hw2yFa29t6yMSiP5VFSP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954000965480.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\HnxOZG3DwW4E1SVwALrofmdk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\KWuM8Zwy1b2PQLlilGvrKdff.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\6gZRu0dCotZWu6pX7Uek4x9E.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\H5IdNZJmWFbmVKRjrzSzq_VU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954028507540.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\ARP.EXE	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\m8JansxpyzuBEO97WyI6iaFf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	File created: C:\Users\user\AppData\Local\Temp\Zqicom_beta\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\crQs8KoUCPX4z7Mk64XktfRP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\YTPkrsvhjPQ50b0uZLG5k6S0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\OxxNs5ZxnbIXbeNW29miCVdc.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\win10_share_handler.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\gfs9Rn2mibclwwbSn804T4qI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\OcpgtzOBHU9PeDrU4TzpzUio.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\IFuSUUxv5JW4MS2vMljuonta.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\kRnXkLddLBiDJSWVDNmKe1N5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ySPTaGUdAgM6iUd6OElZjJ8a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\N6gs4eA7eEYDf77vFjOtaIRK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\nMH85SeKZvjiaQVYVzZz29h4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\pW8F3CFaTJ7QQfRu6XHeFjuH.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\0TU9HPJqFrjaMH2ab2eutLT6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\1xM2kELmlEwT0ZdAXbxTFlAd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\BqsqdXmriN4iGpEEJloL19dC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\Y4gYOHhcDIL11PZ9V6Axqrm2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\GY7KNUU4SH3BfIpJRsCwtBKS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\J57GOKr4COSgt8vrl68ezu0X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\tGsxzPGBWHgVLAYn2fKHDL8e.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ypRJy7YxyCKNParY18kjMH4H.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\RDyYTnMDkCW8uIAVGFHTmr8b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\j6Qvoqh3VYnq7WtxQyoPLqQ0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\iPGtLilwi2RNQvmM45aBqzX6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954121857980.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\7eNXk0Z1HqnaBEGvizZr7Der.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\BOEYM1Zh50nKU5eXSaSbgNyY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\VqEVjVhhS60d6QE1qz683nDz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\hHsrArYG5kPtHHpnTseHq4DF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\4LMGAkDVX3uzZmWUtCmUEDjB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\fShSvC1wFBBqHPdIyqjcnjYY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\7v7atVhL2o2P1rhZ4wUoEeua.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\GEvJBWLsnPNlCNiw7qqanykB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\lmiE0wDdbnNImUnFhBPggaoj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\rO91t03U6QGPgKg7iOh3SEVF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\KRK8jWRjlROKQEVnbAEUjCvQ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\assistant_package	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Space_bake[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\rules[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\BepzPmjK88swCYSybPtwWA0m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\duFxxF1UpKpUQ04rADremxoL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	File created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\9jWj0z9AbUQVuLDtI6HvGto1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\clnVTfVHLSH8ULUPWfOeVu5Z.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\B9cU5UhtOasu5i8g4dfVXhxb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\qyNU89bNsoji84PSVfnILP6f.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\libEGL.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\tol5HdFnEn6VkJ5rdCz9UsIJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\f73ha0P54IB5rPcLdHiltLCQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\SmfdhfO4sDrl5YJKMhtQ491n.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\FXcxjnqlIBGnDayd_pHBiVEI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\U3ppUSZ1498Zn7mGQqxHXAOf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\L2V4vJn3M0qTTh7N5Bw7rXMb.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\installer.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\E6AsrxSdGpg1z4OZtZRR4Kn2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\suFJGkt2HAaGWcZVH7RaOasE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\6MTG5E8zAXefmLFaBJ11MZso.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Rq807joaUQGWAAeRQkX7gdMO.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\grabber[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\eifmHtaYRvEDUaaleUykWOb3.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\rxKdbi1mxdhb3gQnRtcL21w6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\hh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\0UUxNGvo5SBoNXrhVKNnInBZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\fS6ic3iP0LseiY8Ck7zmeGGw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Jdk6KxIklqc8FORT2NpB78NQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\dJfVoxt31cguly6snQSXBF2t.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_elf.dll	Jump to dropped file
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	File created: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\DnSoqupi4xomDvOwR3I3rI2s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Ag2Svd21FNEgI75kEgj2hict.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\tEgtSEPzimGLILHlSAKRZmcu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\nv8EsHGXmJg4S8V2ZqX2sGzI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\KyhbRBJPdMcoT4xv1l5OEsR2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	File created: C:\Users\user\AppData\Local\Temp\u5vc.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\68TEqrsa15uzHFWmeFosqQFP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\zKW678DCl3v5blnmCqpv2mbr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\bEJbb1QJjCxT3KqTjSpz7GI2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Assistant_109.0.5097.45_Setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_browser.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\PlATw6OLviQWLvksohyJaztF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\win8_importing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\25hX7FI1dURDmB4jtoeQIHHK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\hJY1ofwqBcbhUe2B304qYJQu.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\1pwXik5TSXPHdUS8qk7dav8p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\UwAqjNCs7dbNbF3545Qfm9i9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ej7uIDPLu0LjdGuJMOYuukWH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\Ur3375fnVQIg7Ml6s6BiIJ4X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\123p[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\j0muh7S3p0fFGFbAmRNzniXR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\DowpWy0co4Mzz9d9uodrpoCS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\g0KjW1r2TroGPA35Rl4Ra3f3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\dCIPcTBNISbOYlOJ88oMaC6S.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\UZUmS3UT5nPu2Y8UellaIFKd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954011947204.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\assistant_package	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154331\opera_package	Jump to dropped file

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115400624.log
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115404185.log
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115407543.log
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115432335.log

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe

File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\resources\opera_intro_extension\index.js.LICENSE.txt

Boot Survival

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLUGnmdjv91l8d6gMrFKfqeR.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WImPA7XprDYYmlz4GgprXq9C.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hhAlBlBcTrCM4k8GWVNeC1sK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mry6IgQEwo1gxMPOLycokamw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i7vF1MY2TVYZqGWhHoW4RRyi.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QzUlU4h4IggSGhZ3ewlyu0eE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chw7pkmcZKPpu71RpcTIqa6s.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCd52vFOP19CiLf03bQJ3aGc.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RkdSdP8M6AbsQtjbHFKFouOF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ugjoOir0PULN4OxPQoMZSsL.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q1P64wFhWXy4uVFNjCbfpfGr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dxw94SlwtZgqHus5Nl3FSWhO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j7zIyIEKrcEUmZdJXud5OHT4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u17DLWYqQiMfdMKobS0HdqkF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jRQvvubEQ217f0QaYB8jiZhg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZBhcJR2MdXQtfeNbPU9d8lCa.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKcp8E1LpgL090p8CDo4dOji.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S2klfAamodatcjnlQv5oyaKC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c77OcrlGrGXFhu6R8Wa5kcvn.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WZAIwSiQSTaYqhhMK6bnivxT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qJSDHpIb2rLfYeC4f96RcRNG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a87So8hWHJJwWZJwrNtczOp.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07RmZhDspOVmIDekv4pZ1sw6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gAtbL0EbZ2xzXkIUg0ETQphY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z2IVExTILUck9lboEFI5lzR0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8FvWCRXZagW4LvZ9VBvdUlvw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8akbT027aAu3YRSu28eTlRZK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cCRWRY3IREeX31JXcxkjAZy.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m8M3RBBHhpKlTvKP8ki1EJdF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PesN7ayHiARNdj3VLKEFrqj4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L1Fp6LJC8oeNx82yQ8HaNeZh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fCGnQI8NyOVempNE9ZDiLo4a.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KsL40XG8t66m0S5Of0C4oyUR.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jSrceS8R3jhcsMz71Q2ZCQNY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6LbwaTV4ujaNEJzFimesv9SO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ly8YSN233BjhYclx9Ff4mePv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dh5jPx9TFTPOlQlVqojM1eIF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cP38mgOBNpNfKghWCreFe477.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WEupKmM8Zz8mO4cSPvw8CcsV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JM3MjzRo9Xrv4DzfftyB1LKX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SWVG1kL0lKPrPDNIuDtsC6Hl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GXMIglGbG00I5ARFrXxsvJMe.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6sF6ZIbUf4h0chyjX8GoXwd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G4mnbF2IgUQO8LRK0hRh1JPA.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H7ST8f8JxfmQRozNoFlWXFlg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYB9Q527omPhie4YxyK0AaTl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5giWka2pZSrItKZYmC5Facc.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HRM5JcTqRnJzFhLIQOMPA2b0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gyZqZK2RetJSDXp6xLPPAoBH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ATrwg7eMFsPY7QKdMTVLpQh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YtJAUnkZmQVMGJmU07OqKoTo.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3VPa2iMX7P1wQDNVf2z0UHCM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iDVENAbt1JeeUWymbYb8ncIv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coRv2XI9jJpO3pnJKiZVajgQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\upHOKOHM3Hw6eJvSyk98G5pt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ItBHWHc2Dke3rldx0tKAbF7p.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wf2Y7baU48C3dW3FJBF7V1xz.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odbeTBnVOB8zI2mXuiFaoxic.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oSfDGpZAfb84K9s9oHVMpaER.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9ACj6N84rJVzcF6tknrJQJbZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YANLa2EvI5t8D1c8pOZTxBmu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WifTvX4UxKCPeMGMXRc1M82n.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9prsCtSu1ixedNyddiCok65.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFRXxr0ZTdTrO2gAIbyXtKJf.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pgaq2G1DSHP9NlsxZRn6KEd3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tAJMb7wqF4DtiHBk40vnusjy.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaRPJPIYLJcrPs8tBUyqkflO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cKxUnVqhCBmD9MQvwA0lwC0o.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X6t18HcV47CVoebsiUGKYMeY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rKGcYQm6omHTI470fcC9Dqjo.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9KzHcsJDGyJnKc3ub5MNXh1H.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s2Z5jEqquJDZANkdsQ4Hgp3s.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FQyiFAcxZpZBBREMrkEfv1M0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IiDdGDvC9qlHwMmmv9KVuPjU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iY0FIZ47raKfM5kVJVsKGvuZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lolFFwT29thaXbndCiyi1Gh0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r0SkZyWO8ueOR2DvnnqX0LdO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C4SCkfPpc5Eki49C3LrBTaW1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b03fQX9sEr1tB3GUUpuboPFD.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ba0KxIAmyjscaC5qsgoXzs0V.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0LuosMTkfAE8oOCsvsONoqL.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DytrOh4KwfZX7ueRB7vHACcm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AhL9Pe4yq4KobzD7to7MAlC5.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bNXYNwdZfQXFatlkglgMDv3l.bat	Jump to dropped file

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Window searched: window name: RegmonClass

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fCGnQI8NyOVempNE9ZDiLo4a.bat

Jump to behavior

Creates or modifies windows services

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Stores files to the Windows start menu directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fCGnQI8NyOVempNE9ZDiLo4a.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KsL40XG8t66m0S5Of0C4oyUR.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SWVG1kL0lKPrPDNIuDtsC6Hl.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JM3MjzRo9Xrv4DzfftyB1LKX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GXMIglGbG00I5ARFrXxsvJMe.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6sF6ZIbUf4h0chyjX8GoXwd.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ItBHWHc2Dke3rldx0tKAbF7p.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wf2Y7baU48C3dW3FJBF7V1xz.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9prsCtSu1ixedNyddiCok65.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFRXxr0ZTdTrO2gAIbyXtKJf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pgaq2G1DSHP9NlsxZRn6KEd3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X6t18HcV47CVoebsiUGKYMeY.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rKGcYQm6omHTI470fcC9Dqjo.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r0SkZyWO8ueOR2DvnnqX0LdO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C4SCkfPpc5Eki49C3LrBTaW1.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ba0KxIAmyjscaC5qsgoXzs0V.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0LuosMTkfAE8oOCsvsONoqL.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8FvWCRXZagW4LvZ9VBvdUlvw.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8akbT027aAu3YRSu28eTlRZK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L1Fp6LJC8oeNx82yQ8HaNeZh.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G4mnbF2IgUQO8LRK0hRh1JPA.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYB9Q527omPhie4YxyK0AaTl.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HRM5JcTqRnJzFhLIQOMPA2b0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YtJAUnkZmQVMGJmU07OqKoTo.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WifTvX4UxKCPeMGMXRc1M82n.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaRPJPIYLJcrPs8tBUyqkflO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s2Z5jEqquJDZANkdsQ4Hgp3s.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IiDdGDvC9qlHwMmmv9KVuPjU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lolFFwT29thaXbndCiyi1Gh0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b03fQX9sEr1tB3GUUpuboPFD.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DytrOh4KwfZX7ueRB7vHACcm.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AhL9Pe4yq4KobzD7to7MAlC5.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bNXYNwdZfQXFatlkglgMDv3l.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKcp8E1LpgL090p8CDo4dOji.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WZAIwSiQSTaYqhhMK6bnivxT.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qJSDHpIb2rLfYeC4f96RcRNG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gAtbL0EbZ2xzXkIUg0ETQphY.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m8M3RBBHhpKlTvKP8ki1EJdF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jSrceS8R3jhcsMz71Q2ZCQNY.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dh5jPx9TFTPOlQlVqojM1eIF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WEupKmM8Zz8mO4cSPvw8CcsV.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5giWka2pZSrItKZYmC5Facc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ATrwg7eMFsPY7QKdMTVLpQh.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3VPa2iMX7P1wQDNVf2z0UHCM.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coRv2XI9jJpO3pnJKiZVajgQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odbeTBnVOB8zI2mXuiFaoxic.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9ACj6N84rJVzcF6tknrJQJbZ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tAJMb7wqF4DtiHBk40vnusjy.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cKxUnVqhCBmD9MQvwA0lwC0o.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9KzHcsJDGyJnKc3ub5MNXh1H.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FQyiFAcxZpZBBREMrkEfv1M0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hhAlBlBcTrCM4k8GWVNeC1sK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iY0FIZ47raKfM5kVJVsKGvuZ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i7vF1MY2TVYZqGWhHoW4RRyi.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chw7pkmcZKPpu71RpcTIqa6s.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ugjoOir0PULN4OxPQoMZSsL.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dxw94SlwtZgqHus5Nl3FSWhO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u17DLWYqQiMfdMKobS0HdqkF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jRQvvubEQ217f0QaYB8jiZhg.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZBhcJR2MdXQtfeNbPU9d8lCa.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S2klfAamodatcjnlQv5oyaKC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c77OcrlGrGXFhu6R8Wa5kcvn.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a87So8hWHJJwWZJwrNtczOp.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07RmZhDspOVmIDekv4pZ1sw6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z2IVExTILUck9lboEFI5lzR0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cCRWRY3IREeX31JXcxkjAZy.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PesN7ayHiARNdj3VLKEFrqj4.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6LbwaTV4ujaNEJzFimesv9SO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ly8YSN233BjhYclx9Ff4mePv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cP38mgOBNpNfKghWCreFe477.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H7ST8f8JxfmQRozNoFlWXFlg.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gyZqZK2RetJSDXp6xLPPAoBH.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iDVENAbt1JeeUWymbYb8ncIv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\upHOKOHM3Hw6eJvSyk98G5pt.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oSfDGpZAfb84K9s9oHVMpaER.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YANLa2EvI5t8D1c8pOZTxBmu.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLUGnmdjv91l8d6gMrFKfqeR.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WImPA7XprDYYmlz4GgprXq9C.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mry6IgQEwo1gxMPOLycokamw.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QzUlU4h4IggSGhZ3ewlyu0eE.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCd52vFOP19CiLf03bQJ3aGc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RkdSdP8M6AbsQtjbHFKFouOF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q1P64wFhWXy4uVFNjCbfpfGr.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j7zIyIEKrcEUmZdJXud5OHT4.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y0bIckNq2EAC5CDCFRLN2gxe.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RHhVjBfLkPcVxM6xEabaLNaf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IZ90ADwFxAsXRn3hCAoPWMST.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7AAu4i4Xjbt3lCH1tQlkoSpt.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PCyVHH7OhEPGjBuDufk8ls3n.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8Wpj7RupIGuBPhvMGZZrxwYu.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0iPhKq5wf11Y0aoatOPBAFBq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N7BIIDwRMJzSNiRmSErpPUUk.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bN2E0g9kornSSdg8twqvOq8m.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sjUwZKGWo57301v2ETPXunNc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8KNJ1OZlbLEH3NQfnSTbxW78.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EL8NzB1967doyO9KDeYeMwPK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rNGQQUUImmduYor0cwnUWGTU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uC1xCEugxLhN3BH60UJZHNed.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vTXsMkARpxhhs5rs0EMbWawQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQEJ9gDUpEZRob5WZSlvcHYb.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6jroj46fwpPnWpKmyAC9Bouv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7FUFuJtU1UFmQ5gnbuiatAG6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M2OnzjSxhpFDFNE4k33CwXMw.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ve7hvYbyzSKYMw1MF1rJFPIo.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xZJpMKXwXIMd4xBdo233jq9Y.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\js8mqz9IRH7C8BSXFvKRXTKo.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VifXkQUBi9Vvu8bnzrbxZAVA.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BKxRJEkQd2QlvHs35deJOx4t.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVOXZauFMZjFtKzx2HZlzp07.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TjS5W8jkMkbD84YoWtZToy2X.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JJsEf3Weq41f5tyCg9FLiUU8.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CBwq75cpSnPQqXkFt0xqXVwF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4v4ZFHuDbBOefqoHoF91la0C.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8W4tQLkvKsCNjVrIhDVVq5rV.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0mDe3ew9VQaAlOpzyRG89Z0x.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I6Lj7OsODqkgHS3j9yoPi9eP.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UHrf3eS9UZj5v6ylNbbd7VpM.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MezViNbzO2W2t8QYl2B1Wn5F.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cxxpPw3s1HdzNStl9efGdTTl.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LtQjEglcwrS0A2mejkCXvgvz.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fFwsfbHkIASWBjKkJi8tMMYy.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zcahb0UDni9GYNLeBHZ326N6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PjPlYdjzKXySfcDbuM8rBM0W.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HNwfqO3m6A3ILkRyxrVsKL5b.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V1teOH1FXTouL5jbYSeg1BZB.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lTDqDoswMlyaDctovUVp97xf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CiqHZCWi4lNb131qvxMzGIFp.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juon39jkWJ8CpHVRs9ZpBzab.bat	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00408761

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: jNeaezBuo8.exe PID: 3636, type: MEMORYSTR

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9772000.00000004.00000800.00020000.00000000.sdmp, jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9772000.00000004.00000800.00020000.00000000.sdmp, jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIES

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Special instruction interceptor: First address: 7FF78D11BE96 instructions caused by: Self-modifying code
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Special instruction interceptor: First address: 7FF6B772BE96 instructions caused by: Self-modifying code
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Special instruction interceptor: First address: 7FF7B4EDBE96 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory allocated: 1BCA7DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory allocated: 1BCC1720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 7310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 8310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 8480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 9480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 9E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: AE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: BE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: CE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: DE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: ACE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: BCE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: E6E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 10B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 11B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 107E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 12DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: B3A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 15DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 18DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 19960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1A960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1E960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1E960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 13E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 127E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1E960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1E960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: CBA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: CBA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: E360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: E360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 10360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 13360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 19960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: B0A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1A960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1B960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1C960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1D960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 10360000 memory reserve \| memory write watch	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599644	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599182	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598962	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598289	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598186	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598066	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597925	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597462	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597346	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597099	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596801	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596242	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596123	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595878	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595623	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595456	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595303	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595160	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595035	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594769	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594635	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594521	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594376	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594206	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594073	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593838	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593705	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593519	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593168	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593061	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592951	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592837	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592731	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592326	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591790	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591483	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591341	Jump to behavior
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Thread delayed: delay time: 300000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6709	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2939	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Window / User API: threadDelayed 5715	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Window / User API: threadDelayed 3741	Jump to behavior
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Window / User API: threadDelayed 356
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2313
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe	Window / User API: threadDelayed 482
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2093
Source: C:\Users\user\AppData\Local\Temp\u3a8.0.exe	Window / User API: threadDelayed 703

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954283907356.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954036647596.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\H5IdNZJmWFbmVKRjrzSzq_VU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954028507540.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\ARP.EXE	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\DHD6dwSMrsUYWbjq1ydcbpSW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Zqicom_beta\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\YTPkrsvhjPQ50b0uZLG5k6S0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\win10_share_handler.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\OxxNs5ZxnbIXbeNW29miCVdc.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\dxil.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\IFuSUUxv5JW4MS2vMljuonta.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kRnXkLddLBiDJSWVDNmKe1N5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\setup294[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_gx_splash.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\N6gs4eA7eEYDf77vFjOtaIRK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\nMH85SeKZvjiaQVYVzZz29h4.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u4n8.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3a8.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\060[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\additional_file0.tmp	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_crashreporter.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\kh9bXd0Y6gx6bLu88nVllBRp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\JHNCg0JIVGbBMVNGHXYgXCki.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\timeSync[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\RDyYTnMDkCW8uIAVGFHTmr8b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\iPGtLilwi2RNQvmM45aBqzX6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954121857980.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\mojo_core.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5vc.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\hHsrArYG5kPtHHpnTseHq4DF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\fs8UvdH7aqxSxTI4lJXRD5UK.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\appidpolicyconverter.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\assistant_package	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954055427752.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Zqicom_beta\relay.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154331\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Space_bake[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\rules[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\SWxWPnF0GcSxZboClYn5fyJs.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954004632668.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\OgqrEizuQKrGmbhIuvrJL0FK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\mJELMFYiIOwSEHw1MspR0tMC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Default15_team[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\clnVTfVHLSH8ULUPWfOeVu5Z.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\libEGL.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\tol5HdFnEn6VkJ5rdCz9UsIJ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\FXcxjnqlIBGnDayd_pHBiVEI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\L2V4vJn3M0qTTh7N5Bw7rXMb.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\ISydF4SkTNvMTsMw0fHGm6cg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\c7hxt59BnCQTVxfSbyanvm1E.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\installer_helper_64.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\launcher.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\grabber[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\rxKdbi1mxdhb3gQnRtcL21w6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\eifmHtaYRvEDUaaleUykWOb3.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\dxcompiler.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\hh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Kug8B5xZ6LzxYK18JAPEOCZZ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\6462c272[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OhUCrCHnpMj4vCBH2WFCAm31.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_elf.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\8zhaIaqIg3EHTANT2VC891Qh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AtTxCqcCWwN4uzHaU4nBaNLb.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954066687816.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_autoupdate.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Assistant_109.0.5097.45_Setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_browser.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\win8_importing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\kX1qCrGX0yxVsyVKBPTFPIvC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\hJY1ofwqBcbhUe2B304qYJQu.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\tP5pTf0jS1kLhyjqmBv_VrrP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ej7uIDPLu0LjdGuJMOYuukWH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\fqT8tD2oUyudVPlyITmN6DQI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\123p[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\j0muh7S3p0fFGFbAmRNzniXR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DowpWy0co4Mzz9d9uodrpoCS.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954000965480.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UZUmS3UT5nPu2Y8UellaIFKd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954011947204.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	API coverage: 8.4 %
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	API coverage: 8.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1472	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 2568	Thread sleep count: 5715 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 2568	Thread sleep count: 3741 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599644s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599182s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598962s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598749s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598624s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598514s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598289s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598066s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597925s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597576s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597462s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597346s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597099s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596948s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596801s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596242s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596123s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596003s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595878s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595744s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595623s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595456s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595303s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595160s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595035s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6112	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594886s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594769s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594635s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594521s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594376s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594206s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594073s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593838s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593705s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593519s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593168s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593061s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592951s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592837s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592731s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592617s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592499s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592326s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592201s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -591998s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -591790s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -591670s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -591483s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -591341s >= -30000s	Jump to behavior
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe TID: 7288	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe TID: 8012	Thread sleep time: -71200s >= -30000s
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe TID: 4112	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe TID: 8052	Thread sleep time: -300000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7568	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe TID: 2824	Thread sleep count: 482 > 30
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe TID: 2824	Thread sleep time: -2892000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8388	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8388	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2956	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8820	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8820	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\u3a8.0.exe TID: 4616	Thread sleep count: 703 > 30
Source: C:\Users\user\AppData\Local\Temp\u3a8.0.exe TID: 4616	Thread sleep time: -4218000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\u3a8.0.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\u3a8.0.exe	Last function: Thread delayed

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0041D9E1 FindFirstFileExA,	10_2_0041D9E1
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036FDC48 FindFirstFileExA,	10_2_036FDC48
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	18_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	18_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	18_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	18_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	18_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	18_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_036627D7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_036627D7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365D7A7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_0365D7A7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03661DE7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	18_2_03661DE7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365DDC7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	18_2_0365DDC7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365B877 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	18_2_0365B877
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03662457 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	18_2_03662457
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365D427 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	18_2_0365D427
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03651827 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_03651827
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_036618B7 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	18_2_036618B7
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0041D9E1 FindFirstFileExA,	24_2_0041D9E1
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035BDC48 FindFirstFileExA,	24_2_035BDC48

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Code function: 18_2_00401120 GetSystemInfo,ExitProcess,

18_2_00401120

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599644	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599182	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598962	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598289	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598186	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598066	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597925	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597462	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597346	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597099	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596801	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596242	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596123	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595878	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595623	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595456	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595303	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595160	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595035	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594769	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594635	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594521	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594376	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594206	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594073	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593838	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593705	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593519	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593168	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593061	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592951	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592837	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592731	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592326	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591790	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591483	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591341	Jump to behavior
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Thread delayed: delay time: 300000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: sbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--P
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: psapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= p
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: STAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00 %+v m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3ca
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie$WINDIR% CPU (%03d %s%v: %#x, goid=, j0 = -nologo/delete19531252.5.4.32.5.
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: ameNewaPINGPOSTPathQEMUROOTH
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: ersexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindo
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2097054882.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099984461.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000002.2675239063.0000000001D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: popcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: 11VBoxSFWINDIRWD
Source: qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000002.2675239063.0000000001D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %SystemRoot%\system32\NLAapi.dllHyper-V RAWX
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: pclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: sse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BE
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: LycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd acceptactivechan<-closedcookiedirectdo
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: aryvmcixn-SR-%W
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s\|%s%s\|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: main.isRunningInsideVMWare
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: 4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: rSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)
Source: u4n8.0.exe, 00000012.00000002.3427320111.0000000001B3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:**@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: tVMSrvcs\|!
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: 3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: ermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: yreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdo
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: sse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.2500
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: svchost.exe, 00000015.00000003.2079278164.0000022498844000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthorities
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ><'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: vmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ... exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--D
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: eUnprocessable EntityWinmonProcessMonitor\\.\pipe\VBoxTrayIPC^.*\._Ctype_uint8_t$asn1: syntax error: assigned stream ID 0bad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpcertificate requiredchan send (nil chan)close of nil channe
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: rdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying=
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: potency-Key\System32\drivers\\.\VBoxMiniRdrDN os/exec.Command(^.*\._Ctype_char$bad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecode server: %wdecryption faileddownload fi
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
Source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000002.2684591676.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: \\.\HGFS`
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3356024446.0000000001E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: lUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Window
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: PalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: vmhgfsP
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: bmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: ultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-languageadvertise erroragent is closedapplication/pdfasyncpreemptoffbad certificatebad trailer keybefore EfiGuardclass registredclient finishedcouldn't set AVcouldn't set sbdecode hash: %wdo
Source: svchost.exe, 00000013.00000002.2391302711.000001C3E0202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (a
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: swsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAccepted
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservi
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: ddrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.)
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: rayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\Def

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe

System information queried: ModuleInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Process queried: DebugObjectHandle

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Code function: 18_2_00404540 InternetOpenA,StrCmpCA,LdrInitializeThunk,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

18_2_00404540

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_00409A73

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

18_2_00416240

Contains functionality to read the PEB

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_004139E7 mov eax, dword ptr fs:[00000030h]	10_2_004139E7
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_01C5F033 push dword ptr fs:[00000030h]	10_2_01C5F033
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E092B mov eax, dword ptr fs:[00000030h]	10_2_036E092B
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E0D90 mov eax, dword ptr fs:[00000030h]	10_2_036E0D90
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036F3C4E mov eax, dword ptr fs:[00000030h]	10_2_036F3C4E
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Code function: 12_2_03A090A3 push dword ptr fs:[00000030h]	12_2_03A090A3
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Code function: 12_2_03F1092B mov eax, dword ptr fs:[00000030h]	12_2_03F1092B
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Code function: 12_2_03F10D90 mov eax, dword ptr fs:[00000030h]	12_2_03F10D90
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00415DC0 mov eax, dword ptr fs:[00000030h]	18_2_00415DC0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_01B4F483 push dword ptr fs:[00000030h]	18_2_01B4F483
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365092B mov eax, dword ptr fs:[00000030h]	18_2_0365092B
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03650D90 mov eax, dword ptr fs:[00000030h]	18_2_03650D90
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03666027 mov eax, dword ptr fs:[00000030h]	18_2_03666027
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_004139E7 mov eax, dword ptr fs:[00000030h]	24_2_004139E7
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_01D1F033 push dword ptr fs:[00000030h]	24_2_01D1F033
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035A092B mov eax, dword ptr fs:[00000030h]	24_2_035A092B
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035A0D90 mov eax, dword ptr fs:[00000030h]	24_2_035A0D90
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035B3C4E mov eax, dword ptr fs:[00000030h]	24_2_035B3C4E

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_00420C1A GetProcessHeap,

10_2_00420C1A

Enables debug privileges

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process token adjusted: Debug
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process token adjusted: Debug
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe	Process token adjusted: Debug
Source: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00409A73
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_00409C06 SetUnhandledExceptionFilter,	10_2_00409C06
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00409EBE
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0041073B
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_036EA125
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036F09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_036F09A2
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E9E6D SetUnhandledExceptionFilter,	10_2_036E9E6D
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_036E9CDA
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00419DC7 SetUnhandledExceptionFilter,	18_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03667644 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_03667644
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03667DB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_03667DB5
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0366A02E SetUnhandledExceptionFilter,	18_2_0366A02E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00409A73
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_00409C06 SetUnhandledExceptionFilter,	24_2_00409C06
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00409EBE
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_0041073B
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035AA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_035AA125
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035B09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_035B09A2
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035A9E6D SetUnhandledExceptionFilter,	24_2_035A9E6D
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035A9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_035A9CDA

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jNeaezBuo8.exe" -Force
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jNeaezBuo8.exe" -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and write

Jump to behavior

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe

Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7CBA2C0
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B5587026
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtQuerySystemInformation: Direct from: 0xE009CFE878
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtProtectVirtualMemory: Direct from: 0x7FF8A3118735
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtSetInformationThread: Indirect: 0x7FF78D35F367
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtSetInformationThread: Indirect: 0x7FF7B511F367
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtSetInformationThread: Indirect: 0x7FF6B796F367
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B552EB66
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtQuerySystemInformation: Indirect: 0x7FF78D2FDF84
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtProtectVirtualMemory: Direct from: 0xA000000000
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D6BDECF
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7B0FFD9
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B551D48B
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A3118054
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7AF858A
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7D6BE9D
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtQueryInformationProcess: Indirect: 0x7FF78D37AB07
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtAllocateVirtualMemory: Direct from: 0xA0A76ACB
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtQuerySystemInformation: Indirect: 0x7FF6B790DF84
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtClose: Direct from: 0x1
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D75BE9D
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtProtectVirtualMemory: Direct from: 0x3
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtQuerySystemInformation: Indirect: 0x7FF7B50BDF84
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtQueryInformationProcess: Indirect: 0x7FF6B798AC73
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7AF7E3D
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B52A2C69
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A3118875
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B5258D9D
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtQueryInformationProcess: Indirect: 0x7FF7B513AC73
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D6BCD9B
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtProtectVirtualMemory: Direct from: 0x252ADB4D2F0
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B5585BEB
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D4E7E3D
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7AF2C69
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D76E31D
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D4B32D7
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtQuerySystemInformation: Direct from: 0x252ADB4D0F0
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtQueryVolumeInformationFile: Direct from: 0xE009CFEE38
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D75D7E8
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B557A628
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtQueryInformationProcess: Indirect: 0x7FF78D37AC73
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7D753EE
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtQueryInformationProcess: Indirect: 0x7FF7B513AB07
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7D7E31D
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7AC32D7
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtQueryInformationProcess: Indirect: 0x7FF6B798AB07
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7D77D0F
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B52BDB47
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B547DECF
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B529C1FC
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D7BA628
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7D75B74
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B546A2C0
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D498D9D
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtCreateFile: Direct from: 0x7FF8A31078EC
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B551C12D
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7DCA628
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B55125AC
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7D5CAE6
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D4FC9E6
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7AA8D9D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base address: 400000

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		18_2_00415D00
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03665F67 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		18_2_03665F67

Writes to foreign memory regions

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 404000	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 406000	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: F5F008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jNeaezBuo8.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe "C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe "C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe "C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe "C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe "C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe "C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe "C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe "C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe "C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe "C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe "C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe "C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe "C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe "C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6sF6ZIbUf4h0chyjX8GoXwd.bat" "	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 3636 -ip 3636
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3636 -s 1360
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Process created: C:\Users\user\AppData\Local\Temp\u4n8.0.exe "C:\Users\user\AppData\Local\Temp\u4n8.0.exe"
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x258,0x6c5be1d0,0x6c5be1dc,0x6c5be1e8
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5480 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240420115402" --session-guid=7c8aa1aa-7a32-47df-9a77-320b42f4c511 --server-tracking-blob="YjU1MjY3ZTRkZDgxZTBkNTJhNmUwZWY1OWIyZGNlZTljZjU0OTA1ZTA2Yzc0MGEwZGRjN2NiM2U1NjA4MjkxMzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNjA2ODM4LjA0NTIiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMzUyYWJiN2YtMWFlNC00NDNlLTgxNWEtYzU1NDc1YTYyOGE3In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C05000000000000
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b94e1d0,0x6b94e1dc,0x6b94e1e8
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: C:\Users\user\AppData\Local\Temp\u5vc.0.exe "C:\Users\user\AppData\Local\Temp\u5vc.0.exe"
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe"
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x2ac,0x2bc,0x6afce1d0,0x6afce1dc,0x6afce1e8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe "C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Process created: C:\Users\user\AppData\Local\Temp\u3a8.0.exe "C:\Users\user\AppData\Local\Temp\u3a8.0.exe"
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe c:\users\user\pictures\09jxlfzejoc5kwqey7xiw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x258,0x6c5be1d0,0x6c5be1dc,0x6c5be1e8
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "c:\users\user\pictures\09jxlfzejoc5kwqey7xiw75i.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="c:\users\user\appdata\local\programs\opera" --profile-folder --language=en-gb --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5480 --package-dir-prefix="c:\users\user\appdata\local\temp\.opera\opera installer temp\opera_package_20240420115402" --session-guid=7c8aa1aa-7a32-47df-9a77-320b42f4c511 --server-tracking-blob="yju1mjy3ztrkzdgxztbkntjhnmuwzwy1owiyzgnlztljzju0ota1zta2yzc0mgewzgrjn2nim2u1nja4mjkxmzp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijp7im5hbwuioijvcgvyysj9lcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cy8/dxrtx21lzgl1bt1hcgimdxrtx3nvdxjjzt1ta3qmdxrtx2nhbxbhawduptc2n19fmtiziiwic3lzdgvtijp7inbsyxrmb3jtijp7imfyy2gioij4odzfnjqilcjvchn5cyi6ildpbmrvd3milcjvchn5cy12zxjzaw9uijoimtailcjwywnrywdlijoirvhfin19lcj0aw1lc3rhbxaioiixnzeznja2odm4lja0ntiilcj1dg0ionsiy2ftcgfpz24ioii3njdfxzeymyisim1lzgl1bsi6imfwyiisinnvdxjjzsi6im1rdcj9lcj1dwlkijoimzuyywjin2ytmwflnc00ndnlltgxnwetyzu1ndc1ytyyoge3in0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9c05000000000000
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe c:\users\user\pictures\09jxlfzejoc5kwqey7xiw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b94e1d0,0x6b94e1dc,0x6b94e1e8
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe c:\users\user\pictures\zk4cnpe2v25jrp4qnsgwaeq7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x2ac,0x2bc,0x6afce1d0,0x6afce1dc,0x6afce1e8
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe c:\users\user\pictures\09jxlfzejoc5kwqey7xiw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x258,0x6c5be1d0,0x6c5be1dc,0x6c5be1e8
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "c:\users\user\pictures\09jxlfzejoc5kwqey7xiw75i.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="c:\users\user\appdata\local\programs\opera" --profile-folder --language=en-gb --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5480 --package-dir-prefix="c:\users\user\appdata\local\temp\.opera\opera installer temp\opera_package_20240420115402" --session-guid=7c8aa1aa-7a32-47df-9a77-320b42f4c511 --server-tracking-blob="yju1mjy3ztrkzdgxztbkntjhnmuwzwy1owiyzgnlztljzju0ota1zta2yzc0mgewzgrjn2nim2u1nja4mjkxmzp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijp7im5hbwuioijvcgvyysj9lcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cy8/dxrtx21lzgl1bt1hcgimdxrtx3nvdxjjzt1ta3qmdxrtx2nhbxbhawduptc2n19fmtiziiwic3lzdgvtijp7inbsyxrmb3jtijp7imfyy2gioij4odzfnjqilcjvchn5cyi6ildpbmrvd3milcjvchn5cy12zxjzaw9uijoimtailcjwywnrywdlijoirvhfin19lcj0aw1lc3rhbxaioiixnzeznja2odm4lja0ntiilcj1dg0ionsiy2ftcgfpz24ioii3njdfxzeymyisim1lzgl1bsi6imfwyiisinnvdxjjzsi6im1rdcj9lcj1dwlkijoimzuyywjin2ytmwflnc00ndnlltgxnwetyzu1ndc1ytyyoge3in0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9c05000000000000
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe c:\users\user\pictures\09jxlfzejoc5kwqey7xiw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b94e1d0,0x6b94e1dc,0x6b94e1e8
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe c:\users\user\pictures\zk4cnpe2v25jrp4qnsgwaeq7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x2ac,0x2bc,0x6afce1d0,0x6afce1dc,0x6afce1e8

Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp

Binary or memory string: ..\..\opera\desktop\chrome_imports\chrome\browser\win\ui_automation_util.ccGetCachedBstrValue property is not a BSTR: GetCachedInt32Value property is not an I4: X64Cannot get the size of file version infoNo file version in the package\StringFileInfo\000004B0\ProductVersionNo product version value in the packageReceived an invalid version: \StringFileInfo\000004B0\ContinuousVersionReceived an invalid continuous build number: Cannot acquire internal version from the full version: \StringFileInfo\000004B0\StreamNo stream value in the packageCannot get exe output: version..\..\opera\desktop\windows\installer\common\file_version_utils_impl.ccInvalid version from exe: Cannot get exe output: streamCannot get app output Failed to run the elevated process: Failed wait for the elevated process: Unexpected result when waiting for elevated process: Shortcut element - no correct interface...\..\opera\desktop\windows\installer\common\pin_automator.ccDoneCannot get native menu handle.Cannot get desktop rect.Cannot find pin menu element.No rectangleCould not activate the menu item.ProgmanSysListView324

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_00409D1B cpuid

10_2_00409D1B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_00420063
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_004208CE
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_004170F1
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_0042099B
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_004202DB
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_00420326
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_004203C1
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_0042044E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_004174E4
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_0042069E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_004207C7
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_036F7358
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_03700B35
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_03700A2E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_037002CA
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_03700903
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_03700905
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_036F774B
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_03700628
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_03700542
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_0370058D
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_03700C02
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	18_2_00414570
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	18_2_036647D7
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_00420063
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_004208CE
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_004170F1
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_0042099B
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_004202DB
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_00420326
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_004203C1
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_0042044E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_004174E4
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_0042069E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_004207C7
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_035B7358
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_035C0B35
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_035C0A2E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_035C02CA
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_035C0905
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_035C0903
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_035B774B
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_035C0628
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_035C0542
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_035C058D
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_035C0C02

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Queries volume information: C:\Users\user\Desktop\jNeaezBuo8.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\installer_prefs_include.json VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\d73a64c2 VolumeInformation

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Code function: 18_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

18_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Code function: 18_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

18_2_004144B0

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1

Disables UAC (registry)

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe

Registry value created: Exclusions_Extensions 1

Modifies Group Policy settings

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Adds / modifies Windows certificates

Source: C:\Windows\System32\WerFault.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Glupteba

Source: Yara match	File source: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.TXqT6X30DuHmvWeCAIdAJgkl.exe.4870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.oV9qcl4WOt6pr8Qw3ls1WbNr.exe.4790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.OOMSHFu8BfhOzlMYdVgLGKxh.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oV9qcl4WOt6pr8Qw3ls1WbNr.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OOMSHFu8BfhOzlMYdVgLGKxh.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TXqT6X30DuHmvWeCAIdAJgkl.exe PID: 7732, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000003.2253388609.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3427909101.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2168557944.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3624736344.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3425878817.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2076938589.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3623571026.0000000000400000.00000040.00000001.01000000.0000001E.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000021.00000002.3624937140.0000000001C64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3427480014.0000000001B64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4n8.0.exe PID: 7332, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000003.2253388609.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3427909101.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2168557944.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3624736344.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3425878817.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2076938589.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3623571026.0000000000400000.00000040.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4n8.0.exe PID: 7332, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: git.dev.local/legacy/desktop/electrum.NewClient
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: ) for Ethereum-based blockchains and cryptographically secured digital assets. The in-app wallet service is provided by our affiliate, Blueboard Limited, which is solely responsible for its operation. Use of the wallet service is subject to Blueboard
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: u4n8.0.exe PID: 7332, type: MEMORYSTR

Remote Access Functionality

Yara detected Glupteba

Source: Yara match	File source: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.TXqT6X30DuHmvWeCAIdAJgkl.exe.4870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.oV9qcl4WOt6pr8Qw3ls1WbNr.exe.4790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.OOMSHFu8BfhOzlMYdVgLGKxh.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oV9qcl4WOt6pr8Qw3ls1WbNr.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OOMSHFu8BfhOzlMYdVgLGKxh.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TXqT6X30DuHmvWeCAIdAJgkl.exe PID: 7732, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000003.2253388609.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3427909101.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2168557944.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3624736344.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3425878817.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2076938589.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3623571026.0000000000400000.00000040.00000001.01000000.0000001E.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000021.00000002.3624937140.0000000001C64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3427480014.0000000001B64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4n8.0.exe PID: 7332, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000003.2253388609.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3427909101.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2168557944.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3624736344.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3425878817.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2076938589.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3623571026.0000000000400000.00000040.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4n8.0.exe PID: 7332, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	false
176.97.76.106	unknown	United Kingdom	43658	INTRAFFIC-ASUA	false
193.233.132.234	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
37.228.108.132	unknown	Norway	39832	NO-OPERANO	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false
172.67.161.113	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.27.167	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.79.77	unknown	United States	13335	CLOUDFLARENETUS	false
40.126.29.11	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.90.14	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.147.32	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.207.236	unknown	United States	13335	CLOUDFLARENETUS	false
185.172.128.209	unknown	Russian Federation	50916	NADYMSS-ASRU	false
107.167.96.30	unknown	United States	53755	IOFLOODUS	false
40.126.7.32	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.20.3.235	unknown	United States	13335	CLOUDFLARENETUS	false
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
172.67.132.207	unknown	United States	13335	CLOUDFLARENETUS	false
104.26.8.59	unknown	United States	13335	CLOUDFLARENETUS	false
93.186.225.194	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
104.20.4.235	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.19.24	unknown	United States	13335	CLOUDFLARENETUS	false
107.167.110.217	unknown	United States	21837	OPERASOFTWAREUS	false
107.167.110.216	unknown	United States	21837	OPERASOFTWAREUS	false
104.18.11.89	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.91.214	unknown	United States	13335	CLOUDFLARENETUS	false
107.167.110.211	unknown	United States	21837	OPERASOFTWAREUS	false
72.21.81.240	unknown	United States	15133	EDGECASTUS	false
193.233.132.139	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
220.82.134.210	unknown	Korea Republic of	18035	HSU18035-AS-KRHANSEOUNIVERSITYKR	false
34.117.186.192	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
37.221.125.202	unknown	Lithuania	62416	PTSERVIDORPT	false
18.205.93.1	unknown	United States	14618	AMAZON-AESUS	false
193.233.132.175	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
95.142.206.0	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
185.26.182.111	unknown	Norway	39832	NO-OPERANO	false
104.21.31.124	unknown	United States	13335	CLOUDFLARENETUS	false
95.142.206.2	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
95.142.206.1	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
40.126.28.21	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.67.169.89	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.188.178	unknown	United States	13335	CLOUDFLARENETUS	false
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
172.67.176.131	unknown	United States	13335	CLOUDFLARENETUS	false
104.76.210.217	unknown	United States	6762	SEABONE-NETTELECOMITALIASPARKLESpAIT	false
20.189.173.21	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
5.42.66.10	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
172.67.193.79	unknown	United States	13335	CLOUDFLARENETUS	false
192.229.211.108	unknown	United States	15133	EDGECASTUS	false
3.5.28.111	unknown	United States	14618	AMAZON-AESUS	false
104.21.4.208	unknown	United States	13335	CLOUDFLARENETUS	false
45.130.41.108	unknown	Russian Federation	198610	BEGET-ASRU	false
107.167.125.189	unknown	United States	21837	OPERASOFTWAREUS	false

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\0TU9HPJqFrjaMH2ab2eutLT6.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\0TU9HPJqFrjaMH2ab2eutLT6.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\0UUxNGvo5SBoNXrhVKNnInBZ.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\0UUxNGvo5SBoNXrhVKNnInBZ.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\1xM2kELmlEwT0ZdAXbxTFlAd.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\1xM2kELmlEwT0ZdAXbxTFlAd.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\25hX7FI1dURDmB4jtoeQIHHK.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\25hX7FI1dURDmB4jtoeQIHHK.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\4LMGAkDVX3uzZmWUtCmUEDjB.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\4LMGAkDVX3uzZmWUtCmUEDjB.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\5gwWc5VKcUZ5WZf8qmiy07XG.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\5gwWc5VKcUZ5WZf8qmiy07XG.exe	Virustotal: Detection: 57%	Perma Link
Source: C:\Users\user\AppData\Local\5tBur4jOD2uiOR7o9hLJxfah.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\5tBur4jOD2uiOR7o9hLJxfah.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\6MTG5E8zAXefmLFaBJ11MZso.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\6MTG5E8zAXefmLFaBJ11MZso.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\6gZRu0dCotZWu6pX7Uek4x9E.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\6gZRu0dCotZWu6pX7Uek4x9E.exe	Virustotal: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\7eNXk0Z1HqnaBEGvizZr7Der.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\7eNXk0Z1HqnaBEGvizZr7Der.exe	Virustotal: Detection: 44%	Perma Link
Source: C:\Users\user\AppData\Local\8b0TqH5XXd1pMSAXbXhjKZq0.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\8b0TqH5XXd1pMSAXbXhjKZq0.exe	Virustotal: Detection: 47%	Perma Link
Source: C:\Users\user\AppData\Local\92kAaDTkDhRrMy0DmXOUqiGt.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\92kAaDTkDhRrMy0DmXOUqiGt.exe	Virustotal: Detection: 47%	Perma Link

Multi AV Scanner detection for submitted file

Source: jNeaezBuo8.exe	ReversingLabs: Detection: 18%
Source: jNeaezBuo8.exe	Virustotal: Detection: 28%			Perma Link

Yara detected Glupteba

Source: Yara match	File source: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.TXqT6X30DuHmvWeCAIdAJgkl.exe.4870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.oV9qcl4WOt6pr8Qw3ls1WbNr.exe.4790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.OOMSHFu8BfhOzlMYdVgLGKxh.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oV9qcl4WOt6pr8Qw3ls1WbNr.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OOMSHFu8BfhOzlMYdVgLGKxh.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TXqT6X30DuHmvWeCAIdAJgkl.exe PID: 7732, type: MEMORYSTR

Machine Learning detection for sample

Source: jNeaezBuo8.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	18_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	18_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	18_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	18_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	18_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03659707 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	18_2_03659707
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_036597A7 CryptUnprotectData,LocalAlloc,LocalFree,	18_2_036597A7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03656E77 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	18_2_03656E77
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365C1F7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	18_2_0365C1F7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03665807 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	18_2_03665807

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.3054104711.000001BCA9772000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jNeaezBuo8.exe PID: 3636, type: MEMORYSTR

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.TXqT6X30DuHmvWeCAIdAJgkl.exe.4870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.oV9qcl4WOt6pr8Qw3ls1WbNr.exe.4790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.OOMSHFu8BfhOzlMYdVgLGKxh.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oV9qcl4WOt6pr8Qw3ls1WbNr.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OOMSHFu8BfhOzlMYdVgLGKxh.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TXqT6X30DuHmvWeCAIdAJgkl.exe PID: 7732, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Unpacked PE file: 10.2.KB7dlYN3AfN1oeAtjoqEId5Q.exe.400000.0.unpack
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Unpacked PE file: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Unpacked PE file: 18.2.u4n8.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Unpacked PE file: 24.2.qVgCKtvfJNb4NfGV6kK2PcSn.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe	Unpacked PE file: 33.2.u5vc.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Unpacked PE file: 36.2.bOYJAXg8qqrEFblwExl79wvd.exe.400000.0.unpack

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115400624.log
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115404185.log
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115407543.log
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115432335.log

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe

File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\resources\opera_intro_extension\index.js.LICENSE.txt

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: jNeaezBuo8.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\yicukewiceyal\ge.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000003.2076217074.0000000003751000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000000.2074815643.000000000041B000.00000002.00000001.01000000.00000012.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000003.2166185579.0000000003821000.00000004.00000020.00020000.00000000.sdmp, u3a8.0.exe, 0000002F.00000000.2232630667.000000000041B000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: symsrv.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000005008000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000005078000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000C7A000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172221081.00000191A3C49000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188372013.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174987664.00000191A3C54000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2193224291.00000191A420C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224713944.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2215504283.00000191A3BE6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2222570320.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212637662.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DC:\yicukewiceyal\ge.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000003.2076217074.0000000003751000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000000.2074815643.000000000041B000.00000002.00000001.01000000.00000012.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000003.2166185579.0000000003821000.00000004.00000020.00020000.00000000.sdmp, u3a8.0.exe, 0000002F.00000000.2232630667.000000000041B000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: symsrv.pdbGCTL source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000005008000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000005078000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000C7A000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004F3B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 8>C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224713944.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2215504283.00000191A3BE6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2222570320.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212637662.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bivonare pif.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000000.2044586554.000000000041B000.00000002.00000001.01000000.00000008.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000000.2044626083.000000000041B000.00000002.00000001.01000000.00000009.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2229512304.00000191A4D81000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243509355.00000191A47D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2221228866.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212781209.00000191A3C33000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212312951.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3F08000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2231025618.00000191A446A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223860055.00000191A3F8A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224712272.00000191A50DB000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2226978323.00000191A457E000.00000004.00000020.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000000.2099968954.000000000041B000.00000002.00000001.01000000.00000017.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000000.2099955782.000000000041B000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: dbghelp.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Loader.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RC:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172221081.00000191A3C49000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188372013.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174987664.00000191A3C54000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2193224291.00000191A420C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054480906.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058903181.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063547278.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000002.2070475938.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2081878811.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090225681.0000000000907000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2177073279.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2176633575.00000191A3D63000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179182546.00000191A3EDE000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179501454.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2178658771.00000191A3B51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179182546.00000191A3DAF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2176852284.00000191A3C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\yixeki-ciguwan38_buyej\jobo.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170309443.00000191A3BE6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172221081.00000191A3C1E000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170431588.00000191A3BFE000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172136795.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Qg_Appv5.exe, 00000031.00000002.3153910263.00000252B15C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: .pdb.dbg source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004F3B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Qg_Appv5.exe, 00000031.00000002.3153910263.00000252B15C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: LNC:\noyofalivam\xeguhukur.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000000.2032754701.000000000041B000.00000002.00000001.01000000.00000007.sdmp, KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000002.2684591676.0000000001C98000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000002.2675239063.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000000.2090215768.000000000041B000.00000002.00000001.01000000.00000015.sdmp, bOYJAXg8qqrEFblwExl79wvd.exe, 00000024.00000003.2378051986.0000000001C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\noyofalivam\xeguhukur.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000000.2032754701.000000000041B000.00000002.00000001.01000000.00000007.sdmp, KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000002.2684591676.0000000001C98000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000002.2675239063.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000000.2090215768.000000000041B000.00000002.00000001.01000000.00000015.sdmp, bOYJAXg8qqrEFblwExl79wvd.exe, 00000024.00000003.2378051986.0000000001C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: GC:\bivonare pif.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000000.2044586554.000000000041B000.00000002.00000001.01000000.00000008.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000000.2044626083.000000000041B000.00000002.00000001.01000000.00000009.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2229512304.00000191A4D81000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243509355.00000191A47D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2221228866.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212781209.00000191A3C33000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212312951.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3F08000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2231025618.00000191A446A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223860055.00000191A3F8A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224712272.00000191A50DB000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2226978323.00000191A457E000.00000004.00000020.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000000.2099968954.000000000041B000.00000002.00000001.01000000.00000017.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000000.2099955782.000000000041B000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054480906.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058903181.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063547278.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000002.2070475938.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2081878811.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090225681.0000000000907000.00000002.00000001.01000000.0000000B.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0041D9E1 FindFirstFileExA,	10_2_0041D9E1
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036FDC48 FindFirstFileExA,	10_2_036FDC48
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	18_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	18_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	18_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	18_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	18_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	18_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_036627D7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_036627D7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365D7A7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_0365D7A7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03661DE7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	18_2_03661DE7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365DDC7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	18_2_0365DDC7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365B877 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	18_2_0365B877
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03662457 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	18_2_03662457
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365D427 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	18_2_0365D427
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03651827 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_03651827
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_036618B7 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	18_2_036618B7
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0041D9E1 FindFirstFileExA,	24_2_0041D9E1
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035BDC48 FindFirstFileExA,	24_2_035BDC48

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: JdfOLq5feVdmvpgs0LjMwnYk.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: YmxvYosqIkD3WGgGEugsGOqb.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 4bYBkn0K6Viq0whmT9GrOAT2.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: LN0iazJKg4ouG4Cdljww54MB.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: QWg34yKRBz8JiYYvcjdOCF7u.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: HEvON99qUwgGwLduKeIY9m3g.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 3CnPiCdeLO8CgUrP4UbQAnuT.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: AcCKWAY2rit0NCEEiGbFUfH5.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: g35TT2UeUHsZDKZA6nJGp8gx.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 23pMxNJ8xL8sMiQ1yqjR9K8c.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: AzH3HDqfE4sJkRPVWQxgTBGK.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: AGh4ngOKjyPTA1MhPSfxzINB.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: FsjNHv7s5NA6IdBlB5tiEDD0.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: NQrrqi323gUUzwpQ07ZaUtyD.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: c8NFJMLMDBLJHMdfk3CHDEaB.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: IIk86V9YiLn4TNjhwK5b88VE.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: LaMODovStv6L44RtxbPHwqiL.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: OqOO75a2wSIKDIG5IWuKGcqB.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: eC33Ifke2AUsZVZLjjOpDedu.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: ye3UEN0w9Mq4jWow0YS4nlkv.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 2SYOkWYTvk5LGtvF2lao7jGV.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: MRPKgRkTLDF1UQ6oHCHgO2XR.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: b2NFEf9NNOHrrOJOfbafhFbt.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: UvqvvueWaeqDSywUKVjveKLn.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: FuozRGJXp2ydaW23lwZTemn8.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: aiwK2P0Fl1cIEArMCknG8Xc8.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: TbSdEIYEOocU4YUObNRWEQIE.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: 09gwdWVOD7BhA0wyn6sTP2SG.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: Eaym9owfXDILaNOlOfhlL9pL.exe.4.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: j9tdOKRFunkFVu41ydteJnDU.exe.4.dr
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: EraiE9gAjnpZjbi1KlfzUCf5.exe.13.dr
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: pX6Lc7mgFLX2WPHvpZCKNPOu.exe.13.dr

Found Tor onion address

Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: s25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds maximum o
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackint
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.jNeaezBuo8.exe.1bca9796998.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.jNeaezBuo8.exe.1bca9793f58.1.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_00426504 __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

10_2_00426504

Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: c. Facebook Messenger: A messaging service provided by Facebook, Inc., Meta Platforms Ireland Ltd. or related companies, depending on where you are accessing their services. Terms of use are available at https://www.facebook.com/legal/terms; and equals www.facebook.com (Facebook)
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: OS X; U; en) Presto/2.6.30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: internal error: handshake returned an error but is marked successfultls: received unexpected handshake message of type %T when waiting for %T equals www.facebook.com (Facebook)
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: o Debian/1.6-7Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916 equals www.facebook.com (Facebook)
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s.opera.com; font-src 'self' https://addons-static.operacdn.com https://addons-media.operacdn.com https://fonts.gstatic.com; frame-ancestors 'none'; connect-src 'self' https://addons-static.operacdn.com https://addons-media.operacdn.com https://sentry-relay.opera-api.com https://www.google-analytics.com https://www.opera.com https://forums.opera.com; style-src 'self' https://addons-static.operacdn.com https://addons-media.operacdn.com; script-src 'self' https://addons-static.operacdn.com https://addons-media.operacdn.com 'report-sample' https://www.google-analytics.com 'nonce-xxLwsFMkrM4FhVaH4M8w6g=='; worker-src 'none'; frame-src https://www.youtube.com https://player.vimeo.com https://vimeo.com; base-uri 'self'; default-src 'none'; media-src https://addons-media.operacdn.com/media/; report-uri https://sentry-relay.opera-api.com/api/170/security/?sentry_key=8718908c4bc211ed9f0d161f2d7f9658 equals www.youtube.com (Youtube)

Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.1
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/dl.php
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/dl.php5
Source: u4n8.0.exe, 00000012.00000002.3427320111.0000000001B3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/freebl3.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/freebl3.dll.
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/mozglue.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/mozglue.dllt
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/msvcp140.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/msvcp140.dllH6
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/nss3.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/nss3.dllf
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/softokn3.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/sqlite3.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/15f649199f40275b/vcruntime140.dll
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000002.3427480014.0000000001B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php(
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php-fulluser-l1-1-0
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php-minuser-l1-1-0
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php/
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php1S
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php3
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B98000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php4
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php4:
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php8
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php:
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.php=
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpDW
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpL
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpY7
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpd
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000447000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpf3f5989aa6bdf817aeb843d5eb39on
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phph
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpk0
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpnts
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpo7
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B98000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpp
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phprosoft
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001C22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/3cd2b41cbde8fc9c.phpt
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/Roaming
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.209/iles
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/dacha/rules.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/dacha/rules.exe9
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.139/dacha/rules.exej
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe6
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exeJ
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.php
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2458679256.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3039844827.000002088719C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000009.00000003.2895247821.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/PPCRLwssecurity-utility-1.0.xsd
Source: svchost.exe, 00000009.00000003.2780250440.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 00000009.00000003.2039496049.0000020886876000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2522138487.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000009.00000003.2047889657.0000020887842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_.com
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://autoupdate-staging.services.ams.osa/v4/v5/netinstaller///windows/x64v2/Fetching
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775760354.0000000004616000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775760354.0000000004616000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crtT
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.g
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775760354.0000000004616000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasi
Source: svchost.exe, 00000009.00000003.2895247821.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2905525051.000002088717C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.o
Source: svchost.exe, 00000009.00000003.2895247821.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2905525051.000002088717C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
Source: svchost.exe, 00000009.00000003.2895247821.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2411834420.0000020887107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2295748726.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243305563.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3229618503.0000020887183000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3236988340.000002088710F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2474359019.000002088715A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3252081679.0000020887179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2304708433.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2900600399.0000020887186000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2591916118.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2780250440.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2665508786.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243634334.0000020887183000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2869289552.000002088715B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3252081679.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2306925661.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243494859.000002088715B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAA
Source: svchost.exe, 00000009.00000003.2375801234.0000020887129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdkAGUA
Source: svchost.exe, 00000009.00000003.3252081679.0000020887179000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdmenfo
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdmzq6hT
Source: svchost.exe, 00000009.00000003.2039391226.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdng
Source: svchost.exe, 00000009.00000003.3243305563.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243634334.0000020887183000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 00000009.00000003.2039391226.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:
Source: svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili
Source: svchost.exe, 00000009.00000003.2039497387.00000208868D9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2665508786.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243634334.0000020887183000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2869289552.000002088715B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3252081679.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2306925661.000002088710E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243494859.000002088715B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd1BFH
Source: svchost.exe, 00000009.00000003.2039391226.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd4/xml
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2375801234.0000020887129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2375801234.0000020887129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdQqsF
Source: svchost.exe, 00000009.00000003.3254355858.0000020887181000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3252081679.0000020887181000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 00000009.00000003.2458679256.0000020887178000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2446147451.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdskwp4
Source: svchost.exe, 00000009.00000003.2039391226.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=
Source: svchost.exe, 00000009.00000003.2780250440.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdxV
Source: svchost.exe, 00000009.00000003.2895247821.0000020887176000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2905525051.000002088717C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.sis-op
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://grub.org)Mozilla/5.0
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://invalidlog.txtlookup
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://localhost:3001api/prefs/?product=$1&version=$2..
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775760354.0000000004616000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775760354.0000000004616000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2903913004.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144321544.0000000039850000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: svchost.exe, 00000009.00000003.2689744741.00000208868D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: svchost.exe, 00000009.00000003.3245420400.000002088710E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: svchost.exe, 00000009.00000003.2261901797.0000020887110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: svchost.exe, 00000009.00000003.3039718551.000002088713B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000009.00000003.2306430652.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3255060827.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2474359019.000002088715A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3252081679.0000020887179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3249535607.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2375801234.0000020887129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000009.00000003.3243305563.0000020887174000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2869289552.000002088715B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3243494859.000002088715B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000009.00000003.3255902406.0000020887176000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scmlns:ps
Source: svchost.exe, 00000009.00000003.2474359019.000002088715A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000009.00000003.2039496049.0000020886876000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3172994662.000002088715A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2522138487.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000009.00000003.2306430652.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3255060827.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3249535607.0000020887169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee
Source: svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
Source: svchost.exe, 00000009.00000003.2306430652.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0
Source: svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue1
Source: svchost.exe, 00000009.00000003.2895289914.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3255060827.0000020887169000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2620435358.000002088716E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.3249535607.0000020887169000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2219522771.00000191A3984000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190858813.00000191A3984000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2210732609.00000191A3981000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.php
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.php%
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190858813.00000191A3984000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wikkt.com/forum/index.phpZ
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.alexa.com/help/webmasters;
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.bloglines.com)Frame
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769555145.0000000004611000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.everyfeed.com)explicit
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.google.c
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.google.com/bot.html)crypto/ecdh:
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2187313450.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2187567399.00000191A3C54000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2181888832.00000191A3B75000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2186291576.00000191A3D63000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2184802402.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2181585470.00000191A3B9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.innosetup.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2905005395.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775545985.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3144363187.0000000039758000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775545985.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.opera.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061730587.00000000037D0000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775856844.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.opera.com0
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775545985.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.opera.com;
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://www.spidersoft.com)
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://yandex.com/bots)Opera
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.000002088712C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025278032.0000020887156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025278032.0000020887156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024763674.0000020887157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons-extensions.operacdn.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons-media.operacdn.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons-media.operacdn.com/media/;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons-media.operacdn.com;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons-static.operacdn.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com/
Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://addons.opera.com/en/extensions/details/dify-cashback/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f.opera.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4f/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4fcN
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://addons.opera.com/extensions/download/be76331b95dfc399cd776d2fc68021e0db03cc4ftes
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175505418.00000191A3B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099984461.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/$j
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099984461.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/geolocation/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099984461.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/geolocation/-
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/https://autoupdate.geo.opera.com/geolocation/OperaDesktophttps://cr
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099984461.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64Rgp~l
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://autoupdate.geo.opera.com/v5/netinstaller/opera/Stable/windows/x64dgqIl
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exe.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exeU
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com/7725eaa6592c80f8124e769b4e8a07f7.exexe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39A7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39A6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://baldurgatez.com:80/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175968153.00000191A3B74000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209713411.00000191A3C96000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185148990.00000191A3C9C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2234917130.00000191A3B4F000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179694120.00000191A3B75000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209582608.00000191A3B49000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2235372401.00000191A3C9F000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179694120.00000191A3B92000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213030648.00000191A3C96000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2241682990.00000191A3C9F000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179873979.00000191A3B4D000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2178493071.00000191A3B74000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2241451746.00000191A3B4F000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2181888832.00000191A3B92000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2176852284.00000191A3C86000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2187567399.00000191A3C9C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190541286.00000191A3B4E000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2189730850.00000191A3B92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/8b0be658-c958-47a3-96e4-fc8e5fe7c5dc/downloads/dc50f97b-477f-
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/M
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/W
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exe5
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exei
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/superworkspacenb/gerge/downloads/grabber.exexe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org:80/superworkspacenb/gerge/downloads/grabber.exe
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://blockchain.infoindex
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: https://blockstream.info/apiinva
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2210652331.00000191A3B66000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236015746.00000191A3B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.574859385.xyz/525403/setup.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2210652331.00000191A3B66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://carthewasher.net/0459bbcc9007d32f68bcaa0a07733f6e/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175505418.00000191A3B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2061312787.0000000039638000.00000004.00001000.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://crashstats-collector.opera.com/collector/submit
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175505418.00000191A3B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175505418.00000191A3B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2305639230.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2118709026.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2305639230.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/oupdate=1&ni=1&stream=stable&utm_campaign=767__1
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/ppxBundleSipPutSignedDataMsgDllFuncNamed
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2305639230.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/r-sub.osp.opera.software/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2305639230.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/ttps://desktop-netinstaller-sub.osp.opera.softwa
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099984461.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binary
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinstaller-sub.osp.opera.software/v1/binaryes
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dhttps://download5.operacdn.com/ftp/pub/opera/desktop/109.0.5097.45/win/Opera_109.0.5097.45_
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2305639230.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65593&autoupdate=1&ni=1&stream=stable&utm_campaign=767__
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000003.2412325574.0000000001197000.00000004.00000020.00020000.00000000.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000003.2412721082.000000000119E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65635&autoupdate=1&ni=1
Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000003.2412721082.000000000119E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65635&autoupdate=1&ni=1D
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.opera.com/download/get/?id=65635&autoupdate=1&ni=1Hfpey
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://download.opera.com/download/get/?partner=www&opsys=Windows&utm_source=netinstaller
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download5.operacdn.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download5.operacdn.com/ftp/pub/.assistant/109.0.5097.45/Assistant_109.0.5097.45_Setup.exe
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download5.operacdn.com/ftp/pub/.assistant/109.0.5097.45/Assistant_109.0.5097.45_Setup.exeOex
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download5.operacdn.com/ftp/pub/opera/desktop/109.0.5097.45/win/Opera_109.0.5097.45_Autoupdat
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download5.operacdn.com/i
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download5.operacdn.com/uZBk
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2769389245.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2094130143.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2775156300.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/%
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2094130143.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/1L
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2117360369.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2094130143.0000000001018000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2299586277.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/6
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2094130143.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/ID
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2107300717.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/P
Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://features.opera-api2.com/api/v2/features?country=%s&language=%s&uuid=%s&product=%s&channel=%s
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2094130143.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/api/v2/features?country=US&language=en-GB&uuid=f47cea43-6e45-40f8-a3
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2094130143.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://features.opera-api2.com/l
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://forums.opera.com;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://gamemaker.io
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://gamemaker.io)
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://gamemaker.io/en/education.
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://gamemaker.io/en/get.
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174987664.00000191A3C9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/0459bbcc9007d32f68bcaa0a07733f6e/7725eaa6592c80f8124e769b4e8a07f7.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/0459bbcc9007d32f68bcaa0a07733f6e/7725eaa6592c80f8124e769b4e8a07f7.exeD
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174987664.00000191A3C9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gigachadfanclub.org/0459bbcc9007d32f68bcaa0a07733f6e/7725eaa6592c80f8124e769b4e8a07f7.execo1
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://help.instagram.com/581066165581870;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://help.opera.com/latest/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.vimeocdn.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i.ytimg.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i1.wp.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://legal.opera.com/eula/computers
Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://legal.opera.com/privacy
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://legal.opera.com/privacy.
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://legal.opera.com/terms
Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://legal.opera.com/terms.
Source: svchost.exe, 00000009.00000003.2403567329.000002088788A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025278032.0000020887156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025278032.0000020887156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.000002088712C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000009.00000003.2689744741.00000208868D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000009.00000003.2025021670.0000020887127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025021670.0000020887127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000009.00000003.2025021670.0000020887127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.000002088712C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000009.00000003.2474359019.000002088715A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DgCYmYKtIadapRDwnjsVnAUYIBnjlxlzJkhAs6xX
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025278032.0000020887156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024878299.000002088716B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000009.00000003.2024268870.000002088712C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805021
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2025278032.0000020887156000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024763674.0000020887157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000009.00000003.2024499107.000002088715A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.000002088712C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024268870.0000020887129000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024520212.0000020887152000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000009.00000003.2047889657.0000020887842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000009.00000003.2047889657.0000020887842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfDebu
Source: svchost.exe, 00000009.00000003.2047889657.0000020887842000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfet
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000009.00000003.2024832921.0000020887163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024704987.000002088713B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000009.00000003.2025021670.0000020887127000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/ZA
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://meet.crazyfigs.top/style/060.exeo
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224259048.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39C0000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeU
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeaws.comLMEM
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224259048.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeq
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://opera.com/privacy
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/8
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/lander/File_294/setup294.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/lander/File_294/setup294.exe.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/lander/File_294/setup294.exexe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs/s
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palberryslicker.sbs:80/lander/File_294/setup294.exe
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9772000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/V6VJsrV31https://yip.su/RNWPd.exe7https://iplogger.com/1djqU4
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://policies.google.com/terms;
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://redir.opera.com/uninstallsurvey/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222222715.0000000000FE9000.00000004.00000020.00020000.00000000.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000003.2412325574.0000000001197000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://redir.opera.com/www.opera.com/firstrun/?utm_campaign=767__123&utm_medium=apb&utm_source=mkt&
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175505418.00000191A3B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2175505418.00000191A3B89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sentry-relay.opera-api.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sentry-relay.opera-api.com/api/170/security/?sentry_key=8718908c4bc211ed9f0d161f2d7f9658
Source: svchost.exe, 00000009.00000003.2024798334.0000020887140000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://sourcecode.opera.com
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236015746.00000191A3B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-20.userapi.com/c909618/u5294803/docs/d24/e47db7b4d28f/PL_Clients.bmp?extra=5iTdhq7jHtGb
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2234917130.00000191A3B5E000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2235413330.00000191A398C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236015746.00000191A3B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-21.userapi.com/c236331/u5294803/docs/d24/ef46b35f8bf1/imgdrive_2_1.bmp?extra=bkM2v2_xSr
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://telegram.org/tos/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exe2
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exep
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2209753589.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170670032.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net/cad54ba5b01423b1af8ec10ab5719d97.exexe9
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2171002366.00000191A39A7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2190039271.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2182352209.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188214706.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39A6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2180091563.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172594430.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165458577.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2166039524.00000191A39E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://triedchicken.net:80/cad54ba5b01423b1af8ec10ab5719d97.exe9
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://twitter.com/en/tos;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vimeo.com;
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2219522771.00000191A3984000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2210732609.00000191A3981000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2220340825.00000191A39D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2241988765.00000191A3BAD000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2234917130.00000191A3B5E000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2235413330.00000191A398C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236015746.00000191A3B5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/browser_reports?dest=default_reports
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224259048.00000191A399C000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2213087196.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGiurK
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2239113774.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243304490.00000191A3974000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236540684.00000191A3976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTKnt3
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2210955229.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243304490.00000191A3974000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236540684.00000191A3976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668627934?hash=KOcSmbd2hjdTG4DLhdJgoCSrHOpCJeuTNRte86dnj0k&dl=iwW1iFTFzY3z
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2239113774.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668769608?hash=EJK4IigrO9hmPOkFxXqpLliN8ksP1vifJqKZbhFKHvw&dl=HyyWNdLGIElg
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243304490.00000191A3974000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2236540684.00000191A3976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668771194?hash=7dzZFNgNMhFnf8UKhZ88SSJWzznhZJIEKWOI1nQNlbw&dl=jwd31UuZgmzf
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2210955229.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b08Gc
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc329118071_676580549?hash=pFVdCz3lOS502jpZ4S1mZuaA9EuN2MatBz9F2cxg7Ac&dl=ej7ecTK
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668627934?hash=KOcSmbd2hjdTG4DLhdJgoCSrHOpCJeuTNRte86dnj0k&dl=iwW1iFTFz
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668652542?hash=KlAQZ4zXtzzV5eLSZ1KaXKdCOpfsWxOfH5GyV92XrPL&dl=yPhjzrub8
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668769608?hash=EJK4IigrO9hmPOkFxXqpLliN8ksP1vifJqKZbhFKHvw&dl=HyyWNdLGI
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668771194?hash=7dzZFNgNMhFnf8UKhZ88SSJWzznhZJIEKWOI1nQNlbw&dl=jwd31UuZg
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2165955024.00000191A3B24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_668776833?hash=0O6PF91bZH66jRdVdr0Yhs0vV73FDPMFrSckqwaaZuH&dl=PH90vp0b0
Source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2185685005.00000191A399C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gravatar.com
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp, u4n8.0.exe, 00000012.00000002.3425878817.0000000000447000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp, u4n8.0.exe, 00000012.00000002.3425878817.0000000000447000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp, u4n8.0.exe, 00000012.00000002.3425878817.0000000000447000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp, u4n8.0.exe, 00000012.00000002.3425878817.0000000000447000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp, u4n8.0.exe, 00000012.00000002.3425878817.0000000000447000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u4n8.0.exe, 00000012.00000003.2545242323.000000002E5B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://www.opera.com
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://www.opera.com..
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://www.opera.com/
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://www.opera.com/download/
Source: ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://www.opera.com/privacy
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, ZK4CNPe2v25Jrp4qNSGWaEQ7.exe, 0000001B.00000000.2108082838.000000000018A000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://www.whatsapp.com/legal;
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.3222128090.00000000046C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.TXqT6X30DuHmvWeCAIdAJgkl.exe.4870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.oV9qcl4WOt6pr8Qw3ls1WbNr.exe.4790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.OOMSHFu8BfhOzlMYdVgLGKxh.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oV9qcl4WOt6pr8Qw3ls1WbNr.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OOMSHFu8BfhOzlMYdVgLGKxh.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TXqT6X30DuHmvWeCAIdAJgkl.exe PID: 7732, type: MEMORYSTR

Drops certificate files (DER)

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\5gwWc5VKcUZ5WZf8qmiy07XG.exe entropy: 7.99614337359	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe entropy: 7.99614337359	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\060[1].exe entropy: 7.99870917991	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\FXcxjnqlIBGnDayd_pHBiVEI.exe entropy: 7.99870917991	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\setup[1].exe entropy: 7.99617939742	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\hJY1ofwqBcbhUe2B304qYJQu.exe entropy: 7.99617939742	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\grabber[1].exe entropy: 7.99564568557	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\DHD6dwSMrsUYWbjq1ydcbpSW.exe entropy: 7.99564568557	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Assistant_109.0.5097.45_Setup[1].exe entropy: 7.99454240908	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\opera_package entropy: 7.99999275562	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\8025ea6a524d24d2ed329f6401df172b[1].crx entropy: 7.99940675387	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Opera_109.0.5097.45_Autoupdate_x64[1].exe entropy: 7.99999275562	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe (copy) entropy: 7.99454240908	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\be76331b95dfc399cd776d2fc68021e0db03cc4f.crx (copy) entropy: 7.99940675387	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\resources\standard_themes\default_dark_theme.zip entropy: 7.99623374097	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\resources\standard_themes\default_theme.zip entropy: 7.9940176927	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\assistant_package entropy: 7.99592813846	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154331\opera_package entropy: 7.99999275562	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Opera_109.0.5097.45_Autoupdate_x64[1].exe entropy: 7.99999275562	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	File created: C:\Users\user\AppData\Local\Temp\d73a64c2 entropy: 7.99726702259	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000018.00000002.2651474821.0000000001D1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000024.00000002.3019572306.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000012.00000002.3427909101.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000021.00000002.3624894464.0000000001C4F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.3983892804.0000000003F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000A.00000002.2688026524.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000021.00000002.3624736344.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2662822326.0000000001C5E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.3427434414.0000000001B4F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000024.00000002.2945913024.0000000001C1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000002.2734686268.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen

PE file contains section with special chars

Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R

Creates files inside the system directory

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Windows\System32\GroupPolicy\gpt.ini
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Windows\System32\GroupPolicy\Machine
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Windows\System32\GroupPolicy\User
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol

Detected potential crypto function

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F1C1EA	0_2_00007FF848F1C1EA
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F2530A	0_2_00007FF848F2530A
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F14B20	0_2_00007FF848F14B20
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F12B90	0_2_00007FF848F12B90
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F14BD0	0_2_00007FF848F14BD0
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F1C661	0_2_00007FF848F1C661
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F19898	0_2_00007FF848F19898
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F198A0	0_2_00007FF848F198A0
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F20C8A	0_2_00007FF848F20C8A
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0041B84B	10_2_0041B84B
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040BA80	10_2_0040BA80
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040C2AC	10_2_0040C2AC
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_004123A0	10_2_004123A0
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040F441	10_2_0040F441
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040BD2A	10_2_0040BD2A
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0042153C	10_2_0042153C
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040C6A0	10_2_0040C6A0
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_00408761	10_2_00408761
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0041BF69	10_2_0041BF69
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040B70E	10_2_0040B70E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0040BFF1	10_2_0040BFF1
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EC258	10_2_036EC258
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036FBAB2	10_2_036FBAB2
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EB975	10_2_036EB975
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EC907	10_2_036EC907
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E89C8	10_2_036E89C8
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EBF91	10_2_036EBF91
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036F2607	10_2_036F2607
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EF6A8	10_2_036EF6A8
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EC513	10_2_036EC513
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EBCE7	10_2_036EBCE7
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0041B84B	24_2_0041B84B
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040BA80	24_2_0040BA80
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040C2AC	24_2_0040C2AC
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_004123A0	24_2_004123A0
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040F441	24_2_0040F441
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040BD2A	24_2_0040BD2A
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0042153C	24_2_0042153C
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040C6A0	24_2_0040C6A0
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_00408761	24_2_00408761
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0041BF69	24_2_0041BF69
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040B70E	24_2_0040B70E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0040BFF1	24_2_0040BFF1
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035AC258	24_2_035AC258
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035BBAB2	24_2_035BBAB2
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035AB975	24_2_035AB975
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035AC907	24_2_035AC907
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035A89C8	24_2_035A89C8
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035ABF91	24_2_035ABF91
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035B2607	24_2_035B2607
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035AF6A8	24_2_035AF6A8
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035AC513	24_2_035AC513
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035ABCE7	24_2_035ABCE7

Found potential string decryption / allocating functions

Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 004275A4 appears 43 times
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 035A1D46 appears 39 times
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 035C780B appears 43 times
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 035A9F27 appears 48 times
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 035A1BE3 appears 40 times
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: String function: 035A36F8 appears 130 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 004275A4 appears 43 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 036E1D46 appears 39 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 036E36F8 appears 130 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 0370780B appears 43 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 036E9F27 appears 48 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 036E1BE3 appears 40 times
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: String function: 004043B0 appears 316 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 3636 -ip 3636

PE / OLE file has an invalid certificate

Source: jNeaezBuo8.exe

Static PE information: invalid certificate

PE file contains executable resources (Code or Archives)

Source: OxxNs5ZxnbIXbeNW29miCVdc.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: fqT8tD2oUyudVPlyITmN6DQI.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: UZUmS3UT5nPu2Y8UellaIFKd.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: eifmHtaYRvEDUaaleUykWOb3.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: DowpWy0co4Mzz9d9uodrpoCS.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: nMH85SeKZvjiaQVYVzZz29h4.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: OhUCrCHnpMj4vCBH2WFCAm31.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: clnVTfVHLSH8ULUPWfOeVu5Z.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
Source: Kug8B5xZ6LzxYK18JAPEOCZZ.exe.4.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows

PE file contains more sections than normal

Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: Number of sections : 15 > 10
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: Number of sections : 15 > 10
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: Number of sections : 15 > 10
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: Number of sections : 15 > 10
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: Number of sections : 15 > 10
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: Number of sections : 15 > 10

PE file does not import any functions

Source: jNeaezBuo8.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9772000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNew.exe" vs jNeaezBuo8.exe
Source: jNeaezBuo8.exe, 00000000.00000000.1992481945.000001BCA7BA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEluluvepibikaci< vs jNeaezBuo8.exe
Source: jNeaezBuo8.exe, 00000000.00000002.3090187647.000001BCB986F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAqesoladodaru6 vs jNeaezBuo8.exe
Source: jNeaezBuo8.exe, 00000000.00000002.3108446927.000001BCC1EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAqesoladodaru6 vs jNeaezBuo8.exe

Yara signature match

Source: 00000018.00000002.2651474821.0000000001D1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000024.00000002.3019572306.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000012.00000002.3427909101.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000021.00000002.3624894464.0000000001C4F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.3983892804.0000000003F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000A.00000002.2688026524.00000000036E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000021.00000002.3624736344.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2662822326.0000000001C5E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.3427434414.0000000001B4F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000024.00000002.2945913024.0000000001C1E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000002.2734686268.00000000035A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: jNeaezBuo8.exe, LowLevelSpinWaiterEventAttribute.cs

Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@340/638@0/53

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_01C5F756 CreateToolhelp32Snapshot,Module32First,

10_2_01C5F756

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

File created: C:\Users\user\AppData\Local\JdfOLq5feVdmvpgs0LjMwnYk.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Opera/Installer/C:/Users/user/AppData/Local/Programs/Opera
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3636
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5860:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_15

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fp2ibe2i.ahr.ps1

Jump to behavior

Source: Yara match	File source: 0000000A.00000003.2496286293.00000000043FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.2377448604.0000000004537000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.2496236521.0000000004407000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u3a8.1.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5vc.1.exe, type: DROPPED

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6sF6ZIbUf4h0chyjX8GoXwd.bat" "

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: one	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: one	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: two	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: two	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: three	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: three	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: four	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: four	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: five	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: five	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: six	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: six	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: seven	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: seven	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: eight	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: eight	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: nine	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: nine	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: ten	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: ten	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: one	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: two	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: three	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: four	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: five	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: six	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: seven	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: eight	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: nine	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: ten	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.90	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.90	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.90	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Installed	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Installed	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.59	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.59	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /syncUpd.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /syncUpd.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.59	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /syncUpd.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /1/Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /1/Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /1/Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Qg_Appv5.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /BroomSetup.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /BroomSetup.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /BroomSetup.exe	10_2_00424B3E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: @	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: one	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: one	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: two	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: two	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: five	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: five	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: seven	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: seven	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: eight	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: eight	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: nine	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: nine	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: ten	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: ten	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.90	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.90	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.90	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Installed	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Installed	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.59	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.59	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /syncUpd.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /syncUpd.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.59	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /syncUpd.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /1/Qg_Appv5.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /1/Qg_Appv5.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /1/Qg_Appv5.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Qg_Appv5.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: Qg_Appv5.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /BroomSetup.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /BroomSetup.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: 185.172.128.228	10_2_03704DA5
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Command line argument: /BroomSetup.exe	10_2_03704DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: one	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: one	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: two	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: two	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: three	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: three	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: four	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: four	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: five	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: five	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: six	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: six	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: seven	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: seven	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: eight	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: eight	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: nine	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: nine	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: ten	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: ten	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: one	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: two	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: three	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: four	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: five	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: six	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: seven	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: eight	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: nine	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: ten	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.90	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.90	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.90	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Installed	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Installed	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.59	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.59	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /syncUpd.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /syncUpd.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.59	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /syncUpd.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /1/Qg_Appv5.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /1/Qg_Appv5.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /1/Qg_Appv5.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Qg_Appv5.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Qg_Appv5.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /BroomSetup.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /BroomSetup.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /BroomSetup.exe	24_2_00424B3E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: @	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: one	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: one	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: two	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: two	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: five	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: five	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: seven	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: seven	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: eight	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: eight	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: nine	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: nine	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: ten	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: ten	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.90	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.90	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.90	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Installed	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Installed	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.59	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.59	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /syncUpd.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /syncUpd.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.59	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /syncUpd.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /1/Qg_Appv5.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /1/Qg_Appv5.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /1/Qg_Appv5.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Qg_Appv5.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: Qg_Appv5.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /BroomSetup.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /BroomSetup.exe	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: 185.172.128.228	24_2_035C4DA5
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Command line argument: /BroomSetup.exe	24_2_035C4DA5

Source: jNeaezBuo8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u4n8.0.exe, 00000012.00000003.2216407145.000000002223E000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000003.2245036103.0000000001C21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u4n8.0.exe, 00000012.00000002.3856814320.000000001C164000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: jNeaezBuo8.exe	ReversingLabs: Detection: 18%
Source: jNeaezBuo8.exe	Virustotal: Detection: 28%

Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: inateProcessTor current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	String found in binary or memory: .654WDG_Validator/1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

File read: C:\Users\user\Desktop\jNeaezBuo8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\jNeaezBuo8.exe "C:\Users\user\Desktop\jNeaezBuo8.exe"
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jNeaezBuo8.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 3636 -ip 3636
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3636 -s 1360
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe "C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe "C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe "C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe" --silent --allusers=0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x258,0x6c5be1d0,0x6c5be1dc,0x6c5be1e8
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe" --version
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Process created: C:\Users\user\AppData\Local\Temp\u4n8.0.exe "C:\Users\user\AppData\Local\Temp\u4n8.0.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5480 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240420115402" --session-guid=7c8aa1aa-7a32-47df-9a77-320b42f4c511 --server-tracking-blob="YjU1MjY3ZTRkZDgxZTBkNTJhNmUwZWY1OWIyZGNlZTljZjU0OTA1ZTA2Yzc0MGEwZGRjN2NiM2U1NjA4MjkxMzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNjA2ODM4LjA0NTIiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMzUyYWJiN2YtMWFlNC00NDNlLTgxNWEtYzU1NDc1YTYyOGE3In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C05000000000000
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b94e1d0,0x6b94e1dc,0x6b94e1e8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe "C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe "C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe "C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe "C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe" --silent --allusers=0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe "C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe"
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x2ac,0x2bc,0x6afce1d0,0x6afce1dc,0x6afce1e8
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe" --version
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe "C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe"
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: C:\Users\user\AppData\Local\Temp\u5vc.0.exe "C:\Users\user\AppData\Local\Temp\u5vc.0.exe"
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6sF6ZIbUf4h0chyjX8GoXwd.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe "C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe "C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe"
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe "C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe "C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe"
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe "C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe" --silent --allusers=0
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Process created: C:\Users\user\AppData\Local\Temp\u3a8.0.exe "C:\Users\user\AppData\Local\Temp\u3a8.0.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe "C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe"
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe"
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jNeaezBuo8.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe "C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe "C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe "C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe "C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe "C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe "C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe "C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe "C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe "C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe "C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe "C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe "C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe "C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe "C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6sF6ZIbUf4h0chyjX8GoXwd.bat" "	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 3636 -ip 3636
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3636 -s 1360
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\WerFault.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Process created: C:\Users\user\AppData\Local\Temp\u4n8.0.exe "C:\Users\user\AppData\Local\Temp\u4n8.0.exe"
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x258,0x6c5be1d0,0x6c5be1dc,0x6c5be1e8
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe" --version
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5480 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240420115402" --session-guid=7c8aa1aa-7a32-47df-9a77-320b42f4c511 --server-tracking-blob="YjU1MjY3ZTRkZDgxZTBkNTJhNmUwZWY1OWIyZGNlZTljZjU0OTA1ZTA2Yzc0MGEwZGRjN2NiM2U1NjA4MjkxMzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNjA2ODM4LjA0NTIiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMzUyYWJiN2YtMWFlNC00NDNlLTgxNWEtYzU1NDc1YTYyOGE3In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C05000000000000
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b94e1d0,0x6b94e1dc,0x6b94e1e8
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: C:\Users\user\AppData\Local\Temp\u5vc.0.exe "C:\Users\user\AppData\Local\Temp\u5vc.0.exe"
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe"
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x2ac,0x2bc,0x6afce1d0,0x6afce1dc,0x6afce1e8
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe "C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe" --version
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe "C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Process created: C:\Users\user\AppData\Local\Temp\u3a8.0.exe "C:\Users\user\AppData\Local\Temp\u3a8.0.exe"
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: jNeaezBuo8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: jNeaezBuo8.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: jNeaezBuo8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\yicukewiceyal\ge.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000003.2076217074.0000000003751000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000000.2074815643.000000000041B000.00000002.00000001.01000000.00000012.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000003.2166185579.0000000003821000.00000004.00000020.00020000.00000000.sdmp, u3a8.0.exe, 0000002F.00000000.2232630667.000000000041B000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: symsrv.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000005008000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000005078000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000C7A000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172221081.00000191A3C49000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188372013.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174987664.00000191A3C54000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2193224291.00000191A420C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer_lib.dll.pdb source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058946527.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063634359.0000000000CFA000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2082165285.000000000091A000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090318998.000000000091A000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224713944.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2215504283.00000191A3BE6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2222570320.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212637662.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: DC:\yicukewiceyal\ge.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000003.2076217074.0000000003751000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000000.2074815643.000000000041B000.00000002.00000001.01000000.00000012.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000003.2166185579.0000000003821000.00000004.00000020.00020000.00000000.sdmp, u3a8.0.exe, 0000002F.00000000.2232630667.000000000041B000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: symsrv.pdbGCTL source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000005008000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000005078000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000C7A000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004F3B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 8>C:\javagevo77\xonete\zedikacap-kumefuhan_yevezocusir\nisev.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224713944.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2215504283.00000191A3BE6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2222570320.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212637662.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\bivonare pif.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000000.2044586554.000000000041B000.00000002.00000001.01000000.00000008.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000000.2044626083.000000000041B000.00000002.00000001.01000000.00000009.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2229512304.00000191A4D81000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243509355.00000191A47D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2221228866.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212781209.00000191A3C33000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212312951.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3F08000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2231025618.00000191A446A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223860055.00000191A3F8A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224712272.00000191A50DB000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2226978323.00000191A457E000.00000004.00000020.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000000.2099968954.000000000041B000.00000002.00000001.01000000.00000017.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000000.2099955782.000000000041B000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: dbghelp.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Loader.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: RC:\nedadovisiguc\bibufedepisoh\jegode\yapogiboj\hi.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3BE7000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172221081.00000191A3C49000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2188372013.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174987664.00000191A3C54000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2174618549.00000191A3C51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2193224291.00000191A420C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054480906.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058903181.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063547278.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000002.2070475938.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2081878811.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090225681.0000000000907000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2177073279.00000191A3CA0000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2176633575.00000191A3D63000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179182546.00000191A3EDE000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179501454.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2178658771.00000191A3B51000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2179182546.00000191A3DAF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2176852284.00000191A3C86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\yixeki-ciguwan38_buyej\jobo.pdb source: DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170309443.00000191A3BE6000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172221081.00000191A3C1E000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2170431588.00000191A3BFE000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2172136795.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: Qg_Appv5.exe, 00000031.00000002.3153910263.00000252B15C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: .pdb.dbg source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004F3B000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: Qg_Appv5.exe, 00000031.00000002.3153910263.00000252B15C0000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: LNC:\noyofalivam\xeguhukur.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000000.2032754701.000000000041B000.00000002.00000001.01000000.00000007.sdmp, KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000002.2684591676.0000000001C98000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000002.2675239063.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000000.2090215768.000000000041B000.00000002.00000001.01000000.00000015.sdmp, bOYJAXg8qqrEFblwExl79wvd.exe, 00000024.00000003.2378051986.0000000001C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\noyofalivam\xeguhukur.pdb source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000000.2032754701.000000000041B000.00000002.00000001.01000000.00000007.sdmp, KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000002.2684591676.0000000001C98000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000002.2675239063.0000000001D58000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000000.2090215768.000000000041B000.00000002.00000001.01000000.00000015.sdmp, bOYJAXg8qqrEFblwExl79wvd.exe, 00000024.00000003.2378051986.0000000001C5E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004E5B000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004ECB000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000ACD000.00000040.00000001.01000000.00000009.sdmp
Source:	Binary string: GC:\bivonare pif.pdb source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000000.2044586554.000000000041B000.00000002.00000001.01000000.00000008.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000000.2044626083.000000000041B000.00000002.00000001.01000000.00000009.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2229512304.00000191A4D81000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2243509355.00000191A47D8000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2221228866.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3EDF000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212781209.00000191A3C33000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2212312951.00000191A3CF1000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223589423.00000191A3F08000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2231025618.00000191A446A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2223860055.00000191A3F8A000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2224712272.00000191A50DB000.00000004.00000020.00020000.00000000.sdmp, DAzvKQG6Ksqk3AfqsZxaFtPP.exe, 0000000D.00000003.2226978323.00000191A457E000.00000004.00000020.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000000.2099968954.000000000041B000.00000002.00000001.01000000.00000017.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000000.2099955782.000000000041B000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: c:\srv\slave\workdir\repos\opera\chromium\src\out\Release\installer.exe.pdb@ source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054480906.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000010.00000000.2058903181.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000000.2063547278.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000011.00000002.2070475938.0000000000CE7000.00000002.00000001.01000000.0000000F.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000016.00000000.2081878811.0000000000907000.00000002.00000001.01000000.0000000B.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 00000017.00000000.2090225681.0000000000907000.00000002.00000001.01000000.0000000B.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Unpacked PE file: 10.2.KB7dlYN3AfN1oeAtjoqEId5Q.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Unpacked PE file: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Unpacked PE file: 18.2.u4n8.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Unpacked PE file: 24.2.qVgCKtvfJNb4NfGV6kK2PcSn.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe	Unpacked PE file: 33.2.u5vc.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Unpacked PE file: 36.2.bOYJAXg8qqrEFblwExl79wvd.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Unpacked PE file: 10.2.KB7dlYN3AfN1oeAtjoqEId5Q.exe.400000.0.unpack
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Unpacked PE file: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Unpacked PE file: 18.2.u4n8.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Unpacked PE file: 24.2.qVgCKtvfJNb4NfGV6kK2PcSn.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe	Unpacked PE file: 33.2.u5vc.0.exe.400000.0.unpack
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Unpacked PE file: 36.2.bOYJAXg8qqrEFblwExl79wvd.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

18_2_00416240

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp(R

PE file contains an invalid checksum

Source: UZUmS3UT5nPu2Y8UellaIFKd.exe.4.dr	Static PE information: real checksum: 0x52abdf should be: 0x52acd4
Source: l8khAE6y8GNl60eaPnDT5SpN.exe.4.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ff8
Source: 0UUxNGvo5SBoNXrhVKNnInBZ.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: Rq807joaUQGWAAeRQkX7gdMO.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: qyNU89bNsoji84PSVfnILP6f.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: clnVTfVHLSH8ULUPWfOeVu5Z.exe.4.dr	Static PE information: real checksum: 0x526d1d should be: 0x526e12
Source: KWuM8Zwy1b2PQLlilGvrKdff.exe.4.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ff8
Source: fqT8tD2oUyudVPlyITmN6DQI.exe.4.dr	Static PE information: real checksum: 0x52903c should be: 0x529131
Source: DowpWy0co4Mzz9d9uodrpoCS.exe.4.dr	Static PE information: real checksum: 0x529433 should be: 0x529528
Source: wZzYmE8Nz9QCUHZqOt6rEm24.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: TVY35mdJttfYOhKcrk6q1H2A.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: OxxNs5ZxnbIXbeNW29miCVdc.exe.4.dr	Static PE information: real checksum: 0x52903c should be: 0x529131
Source: OhUCrCHnpMj4vCBH2WFCAm31.exe.4.dr	Static PE information: real checksum: 0x52c866 should be: 0x52c95b
Source: dJfVoxt31cguly6snQSXBF2t.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: fShSvC1wFBBqHPdIyqjcnjYY.exe.4.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ff8
Source: pilT6nsQGl5Pdedeqgr7mf1I.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: KJG8FLUALUrjvRwyv2uaCgOy.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: MADz7xDiCV625yCpzFYe2ZQn.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: ySPTaGUdAgM6iUd6OElZjJ8a.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: Kug8B5xZ6LzxYK18JAPEOCZZ.exe.4.dr	Static PE information: real checksum: 0x52e8d6 should be: 0x52e9cb
Source: nQUJxFtydtfiOBHb5xbWutY1.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: eifmHtaYRvEDUaaleUykWOb3.exe.4.dr	Static PE information: real checksum: 0x52abdf should be: 0x52acd4
Source: bEJbb1QJjCxT3KqTjSpz7GI2.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: sDS4xDJRJNjL2aJQctE1V3M1.exe.4.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ff8
Source: f73ha0P54IB5rPcLdHiltLCQ.exe.4.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ff8
Source: nMH85SeKZvjiaQVYVzZz29h4.exe.4.dr	Static PE information: real checksum: 0x52c866 should be: 0x52c95b
Source: zKW678DCl3v5blnmCqpv2mbr.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: rO91t03U6QGPgKg7iOh3SEVF.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: SRqTzGHU8zgpHkS9pdxLpEbq.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: Jdk6KxIklqc8FORT2NpB78NQ.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: NUQ7j4iKPUQAfFc6iBFXCw4X.exe.4.dr	Static PE information: real checksum: 0x449633 should be: 0x44bc4c
Source: 1pwXik5TSXPHdUS8qk7dav8p.exe.4.dr	Static PE information: real checksum: 0x85ff5 should be: 0x85ff8

PE file contains sections with non-standard names

Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: _RDATA
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .themida
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: 8b0TqH5XXd1pMSAXbXhjKZq0.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: _RDATA
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .themida
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: LHlQIk8n23elOoT83aidvHV7.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: _RDATA
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .themida
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: 1xM2kELmlEwT0ZdAXbxTFlAd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: _RDATA
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .themida
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: nvTtpLaPwtBzhl7WfFclESwd.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: _RDATA
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .themida
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: PlATw6OLviQWLvksohyJaztF.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: _RDATA
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .themida
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R
Source: 68TEqrsa15uzHFWmeFosqQFP.exe.4.dr	Static PE information: section name: .vmp(R

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848F157DB push 35FC458Bh; iretd	0_2_00007FF848F157E8
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848FF026B push esp; retf 4810h	0_2_00007FF848FF0312
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Code function: 0_2_00007FF848FF1C30 push eax; retf	0_2_00007FF848FF1C31
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0042D355 push esi; ret	10_2_0042D35E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_00409D06 push ecx; ret	10_2_00409D19
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_004275A4 push eax; ret	10_2_004275C2
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_004097B6 push ecx; ret	10_2_004097C9
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_01C63905 pushad ; retf	10_2_01C6390C
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_01C620E0 push ecx; iretd	10_2_01C620F2
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_01C61056 pushad ; retf	10_2_01C61057
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_01C635EF push 2B991403h; ret	10_2_01C635F6
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_01C63F14 push 00000061h; retf	10_2_01C63F1C
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036FCB2D push esp; retf	10_2_036FCB2E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E9A1D push ecx; ret	10_2_036E9A30
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0370780B push eax; ret	10_2_03707829
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E9F6D push ecx; ret	10_2_036E9F80
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036FC52F push esp; retf	10_2_036FC537
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_03701CA2 push dword ptr [esp+ecx-75h]; iretd	10_2_03701CA6
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Code function: 12_2_03A0DD61 pushad ; ret	12_2_03A0DD88
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Code function: 12_2_03A0B16B pushfd ; ret	12_2_03A0B1B3
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Code function: 12_2_03A0DC85 pushad ; ret	12_2_03A0DC97
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004176C5 push ecx; ret	18_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0366792C push ecx; ret	18_2_0366793F
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0042D355 push esi; ret	24_2_0042D35E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_00409D06 push ecx; ret	24_2_00409D19
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_004275A4 push eax; ret	24_2_004275C2
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_004097B6 push ecx; ret	24_2_004097C9
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_01D23905 pushad ; retf	24_2_01D2390C
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_01D220E0 push ecx; iretd	24_2_01D220F2
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_01D21056 pushad ; retf	24_2_01D21057
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_01D25378 push ebp; iretd	24_2_01D253AB

Persistence and Installation Behavior

Drops PE files to the document folder of the user

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\tP5pTf0jS1kLhyjqmBv_VrrP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\H5IdNZJmWFbmVKRjrzSzq_VU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\N6gs4eA7eEYDf77vFjOtaIRK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\rxKdbi1mxdhb3gQnRtcL21w6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\fs8UvdH7aqxSxTI4lJXRD5UK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\DHD6dwSMrsUYWbjq1ydcbpSW.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\FXcxjnqlIBGnDayd_pHBiVEI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\OgqrEizuQKrGmbhIuvrJL0FK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\YTPkrsvhjPQ50b0uZLG5k6S0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\j0muh7S3p0fFGFbAmRNzniXR.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\ISydF4SkTNvMTsMw0fHGm6cg.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\IFuSUUxv5JW4MS2vMljuonta.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\kh9bXd0Y6gx6bLu88nVllBRp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\kX1qCrGX0yxVsyVKBPTFPIvC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\hJY1ofwqBcbhUe2B304qYJQu.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\RDyYTnMDkCW8uIAVGFHTmr8b.exe	Jump to dropped file

Installs new ROOT certificates

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\5tBur4jOD2uiOR7o9hLJxfah.exe	Jump to dropped file
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954283907356.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954036647596.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\tszCDBRJQFC2WelpK025uY5p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\NUQ7j4iKPUQAfFc6iBFXCw4X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\l8khAE6y8GNl60eaPnDT5SpN.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\DHD6dwSMrsUYWbjq1ydcbpSW.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\dxil.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\MADz7xDiCV625yCpzFYe2ZQn.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\setup294[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_gx_splash.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	File created: C:\Users\user\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\mBjvNDlP0V4hbaJfvUuppMZT.exe	Jump to dropped file
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\G3hPwh2bgpCY2yLq2Ud9bMvP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	File created: C:\Users\user\AppData\Local\Temp\u4n8.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	File created: C:\Users\user\AppData\Local\Temp\u3a8.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\060[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\additional_file0.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\jVXD2wsYEk1ucd6lZL7tqiNC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\osSY4XCAlbCksdADVILcQqBm.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_crashreporter.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\JHNCg0JIVGbBMVNGHXYgXCki.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\kh9bXd0Y6gx6bLu88nVllBRp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\6Y7L0R6heobmi5sU8d9LNLQB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\timeSync[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\RzN0r1s56Y6tbSxGu8g4RTFC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\sDS4xDJRJNjL2aJQctE1V3M1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\6GMlnWvHlwAR5CXlzaFNIYDK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\G2JymbeYK9WxtsgltLBhWrbm.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\mojo_core.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe	Jump to dropped file
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	File created: C:\Users\user\AppData\Local\Temp\u5vc.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\fs8UvdH7aqxSxTI4lJXRD5UK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\dOSiiQGceGabOSjNPZy6ALVs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\appidpolicyconverter.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\TVY35mdJttfYOhKcrk6q1H2A.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\XWFLQREP5fHqBpXFnsTti9t6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954055427752.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	File created: C:\Users\user\AppData\Local\Temp\Zqicom_beta\relay.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154331\opera_package	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\SRqTzGHU8zgpHkS9pdxLpEbq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\SWxWPnF0GcSxZboClYn5fyJs.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954004632668.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\dzwthTZuxWv93PkbTJg61TP8.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\OgqrEizuQKrGmbhIuvrJL0FK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\92kAaDTkDhRrMy0DmXOUqiGt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\mJELMFYiIOwSEHw1MspR0tMC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Default15_team[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\O3m41s0wSD5zoSObpW4Psf6J.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\pilT6nsQGl5Pdedeqgr7mf1I.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\nQUJxFtydtfiOBHb5xbWutY1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\ISydF4SkTNvMTsMw0fHGm6cg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\c7hxt59BnCQTVxfSbyanvm1E.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\8b0TqH5XXd1pMSAXbXhjKZq0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\installer_helper_64.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\launcher.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\wZzYmE8Nz9QCUHZqOt6rEm24.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\euHMzz273NklU7mgrgUCkRrG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\2G9S5uF27Bt9r9VWuXwyuqad.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\9yhECDruaeRmxhVk9M6BHu8V.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\dxcompiler.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Kug8B5xZ6LzxYK18JAPEOCZZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\f4XpsIuRBAfmIOjFXF1VdkNO.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\6462c272[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\w1LOX3XeHuEGT87oLxL6t3id.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\OhUCrCHnpMj4vCBH2WFCAm31.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\5gwWc5VKcUZ5WZf8qmiy07XG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\aA7bmff6TvQfMGlBzmIXCQu1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\8zhaIaqIg3EHTANT2VC891Qh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\AtTxCqcCWwN4uzHaU4nBaNLb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\LHlQIk8n23elOoT83aidvHV7.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954066687816.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\nvTtpLaPwtBzhl7WfFclESwd.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_autoupdate.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	File created: C:\Users\user\AppData\Local\Temp\u3a8.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\yvABChPqbhjOl64NqwRk76px.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\KJG8FLUALUrjvRwyv2uaCgOy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\9qXSmkhMS5UldZUa63d4PtMK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\kX1qCrGX0yxVsyVKBPTFPIvC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\tP5pTf0jS1kLhyjqmBv_VrrP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ullDNdRRARKjlRS7GvwrVXnW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\fqT8tD2oUyudVPlyITmN6DQI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\oAOIj59FdDP9wDnCTclqbXA7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\6qpTYgoDTNVfF48L3aUOwMbO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\6wWkqIVwxEWYdqEdisq9REAe.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\BlA2hw2yFa29t6yMSiP5VFSP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954000965480.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\HnxOZG3DwW4E1SVwALrofmdk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\KWuM8Zwy1b2PQLlilGvrKdff.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\6gZRu0dCotZWu6pX7Uek4x9E.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\H5IdNZJmWFbmVKRjrzSzq_VU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954028507540.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\ARP.EXE	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\m8JansxpyzuBEO97WyI6iaFf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	File created: C:\Users\user\AppData\Local\Temp\Zqicom_beta\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\crQs8KoUCPX4z7Mk64XktfRP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\YTPkrsvhjPQ50b0uZLG5k6S0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\OxxNs5ZxnbIXbeNW29miCVdc.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\win10_share_handler.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\gfs9Rn2mibclwwbSn804T4qI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\OcpgtzOBHU9PeDrU4TzpzUio.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\IFuSUUxv5JW4MS2vMljuonta.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\kRnXkLddLBiDJSWVDNmKe1N5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\ySPTaGUdAgM6iUd6OElZjJ8a.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\N6gs4eA7eEYDf77vFjOtaIRK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\nMH85SeKZvjiaQVYVzZz29h4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\pW8F3CFaTJ7QQfRu6XHeFjuH.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\0TU9HPJqFrjaMH2ab2eutLT6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\1xM2kELmlEwT0ZdAXbxTFlAd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\BqsqdXmriN4iGpEEJloL19dC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\Y4gYOHhcDIL11PZ9V6Axqrm2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\GY7KNUU4SH3BfIpJRsCwtBKS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\J57GOKr4COSgt8vrl68ezu0X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\tGsxzPGBWHgVLAYn2fKHDL8e.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ypRJy7YxyCKNParY18kjMH4H.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\RDyYTnMDkCW8uIAVGFHTmr8b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\j6Qvoqh3VYnq7WtxQyoPLqQ0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\iPGtLilwi2RNQvmM45aBqzX6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954121857980.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\7eNXk0Z1HqnaBEGvizZr7Der.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\BOEYM1Zh50nKU5eXSaSbgNyY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\VqEVjVhhS60d6QE1qz683nDz.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\hHsrArYG5kPtHHpnTseHq4DF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\4LMGAkDVX3uzZmWUtCmUEDjB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\fShSvC1wFBBqHPdIyqjcnjYY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\7v7atVhL2o2P1rhZ4wUoEeua.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\GEvJBWLsnPNlCNiw7qqanykB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\lmiE0wDdbnNImUnFhBPggaoj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\rO91t03U6QGPgKg7iOh3SEVF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\KRK8jWRjlROKQEVnbAEUjCvQ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\assistant_package	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Space_bake[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\rules[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\BepzPmjK88swCYSybPtwWA0m.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\duFxxF1UpKpUQ04rADremxoL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	File created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\9jWj0z9AbUQVuLDtI6HvGto1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\clnVTfVHLSH8ULUPWfOeVu5Z.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\B9cU5UhtOasu5i8g4dfVXhxb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\qyNU89bNsoji84PSVfnILP6f.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\libEGL.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\tol5HdFnEn6VkJ5rdCz9UsIJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\f73ha0P54IB5rPcLdHiltLCQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\SmfdhfO4sDrl5YJKMhtQ491n.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\FXcxjnqlIBGnDayd_pHBiVEI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\U3ppUSZ1498Zn7mGQqxHXAOf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\L2V4vJn3M0qTTh7N5Bw7rXMb.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\installer.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\E6AsrxSdGpg1z4OZtZRR4Kn2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\suFJGkt2HAaGWcZVH7RaOasE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\6MTG5E8zAXefmLFaBJ11MZso.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Rq807joaUQGWAAeRQkX7gdMO.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\grabber[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\eifmHtaYRvEDUaaleUykWOb3.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\rxKdbi1mxdhb3gQnRtcL21w6.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\hh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\0UUxNGvo5SBoNXrhVKNnInBZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\fS6ic3iP0LseiY8Ck7zmeGGw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Jdk6KxIklqc8FORT2NpB78NQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\dJfVoxt31cguly6snQSXBF2t.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_elf.dll	Jump to dropped file
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	File created: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\DnSoqupi4xomDvOwR3I3rI2s.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\Ag2Svd21FNEgI75kEgj2hict.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\tEgtSEPzimGLILHlSAKRZmcu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\nv8EsHGXmJg4S8V2ZqX2sGzI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\KyhbRBJPdMcoT4xv1l5OEsR2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	File created: C:\Users\user\AppData\Local\Temp\u5vc.0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\68TEqrsa15uzHFWmeFosqQFP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\zKW678DCl3v5blnmCqpv2mbr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\bEJbb1QJjCxT3KqTjSpz7GI2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Assistant_109.0.5097.45_Setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	File created: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_browser.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\PlATw6OLviQWLvksohyJaztF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\win8_importing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\25hX7FI1dURDmB4jtoeQIHHK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\hJY1ofwqBcbhUe2B304qYJQu.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\1pwXik5TSXPHdUS8qk7dav8p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\UwAqjNCs7dbNbF3545Qfm9i9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\ej7uIDPLu0LjdGuJMOYuukWH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\Ur3375fnVQIg7Ml6s6BiIJ4X.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\123p[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File created: C:\Users\user\Documents\SimpleAdobe\j0muh7S3p0fFGFbAmRNzniXR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\DowpWy0co4Mzz9d9uodrpoCS.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\g0KjW1r2TroGPA35Rl4Ra3f3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\dCIPcTBNISbOYlOJ88oMaC6S.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Local\UZUmS3UT5nPu2Y8UellaIFKd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954011947204.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\assistant_package	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154331\opera_package	Jump to dropped file

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115400624.log
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115404185.log
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115407543.log
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	File created: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer\opera_installer_20240420115432335.log

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe

File created: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\resources\opera_intro_extension\index.js.LICENSE.txt

Boot Survival

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLUGnmdjv91l8d6gMrFKfqeR.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WImPA7XprDYYmlz4GgprXq9C.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hhAlBlBcTrCM4k8GWVNeC1sK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mry6IgQEwo1gxMPOLycokamw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i7vF1MY2TVYZqGWhHoW4RRyi.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QzUlU4h4IggSGhZ3ewlyu0eE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chw7pkmcZKPpu71RpcTIqa6s.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCd52vFOP19CiLf03bQJ3aGc.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RkdSdP8M6AbsQtjbHFKFouOF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ugjoOir0PULN4OxPQoMZSsL.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q1P64wFhWXy4uVFNjCbfpfGr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dxw94SlwtZgqHus5Nl3FSWhO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j7zIyIEKrcEUmZdJXud5OHT4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u17DLWYqQiMfdMKobS0HdqkF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jRQvvubEQ217f0QaYB8jiZhg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZBhcJR2MdXQtfeNbPU9d8lCa.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKcp8E1LpgL090p8CDo4dOji.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S2klfAamodatcjnlQv5oyaKC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c77OcrlGrGXFhu6R8Wa5kcvn.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WZAIwSiQSTaYqhhMK6bnivxT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qJSDHpIb2rLfYeC4f96RcRNG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a87So8hWHJJwWZJwrNtczOp.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07RmZhDspOVmIDekv4pZ1sw6.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gAtbL0EbZ2xzXkIUg0ETQphY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z2IVExTILUck9lboEFI5lzR0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8FvWCRXZagW4LvZ9VBvdUlvw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8akbT027aAu3YRSu28eTlRZK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cCRWRY3IREeX31JXcxkjAZy.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m8M3RBBHhpKlTvKP8ki1EJdF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PesN7ayHiARNdj3VLKEFrqj4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L1Fp6LJC8oeNx82yQ8HaNeZh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fCGnQI8NyOVempNE9ZDiLo4a.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KsL40XG8t66m0S5Of0C4oyUR.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jSrceS8R3jhcsMz71Q2ZCQNY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6LbwaTV4ujaNEJzFimesv9SO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ly8YSN233BjhYclx9Ff4mePv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dh5jPx9TFTPOlQlVqojM1eIF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cP38mgOBNpNfKghWCreFe477.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WEupKmM8Zz8mO4cSPvw8CcsV.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JM3MjzRo9Xrv4DzfftyB1LKX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SWVG1kL0lKPrPDNIuDtsC6Hl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GXMIglGbG00I5ARFrXxsvJMe.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6sF6ZIbUf4h0chyjX8GoXwd.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G4mnbF2IgUQO8LRK0hRh1JPA.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H7ST8f8JxfmQRozNoFlWXFlg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYB9Q527omPhie4YxyK0AaTl.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5giWka2pZSrItKZYmC5Facc.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HRM5JcTqRnJzFhLIQOMPA2b0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gyZqZK2RetJSDXp6xLPPAoBH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ATrwg7eMFsPY7QKdMTVLpQh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YtJAUnkZmQVMGJmU07OqKoTo.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3VPa2iMX7P1wQDNVf2z0UHCM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iDVENAbt1JeeUWymbYb8ncIv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coRv2XI9jJpO3pnJKiZVajgQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\upHOKOHM3Hw6eJvSyk98G5pt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ItBHWHc2Dke3rldx0tKAbF7p.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wf2Y7baU48C3dW3FJBF7V1xz.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odbeTBnVOB8zI2mXuiFaoxic.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oSfDGpZAfb84K9s9oHVMpaER.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9ACj6N84rJVzcF6tknrJQJbZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YANLa2EvI5t8D1c8pOZTxBmu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WifTvX4UxKCPeMGMXRc1M82n.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9prsCtSu1ixedNyddiCok65.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFRXxr0ZTdTrO2gAIbyXtKJf.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pgaq2G1DSHP9NlsxZRn6KEd3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tAJMb7wqF4DtiHBk40vnusjy.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaRPJPIYLJcrPs8tBUyqkflO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cKxUnVqhCBmD9MQvwA0lwC0o.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X6t18HcV47CVoebsiUGKYMeY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rKGcYQm6omHTI470fcC9Dqjo.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9KzHcsJDGyJnKc3ub5MNXh1H.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s2Z5jEqquJDZANkdsQ4Hgp3s.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FQyiFAcxZpZBBREMrkEfv1M0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IiDdGDvC9qlHwMmmv9KVuPjU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iY0FIZ47raKfM5kVJVsKGvuZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lolFFwT29thaXbndCiyi1Gh0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r0SkZyWO8ueOR2DvnnqX0LdO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C4SCkfPpc5Eki49C3LrBTaW1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b03fQX9sEr1tB3GUUpuboPFD.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ba0KxIAmyjscaC5qsgoXzs0V.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0LuosMTkfAE8oOCsvsONoqL.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DytrOh4KwfZX7ueRB7vHACcm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AhL9Pe4yq4KobzD7to7MAlC5.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bNXYNwdZfQXFatlkglgMDv3l.bat	Jump to dropped file

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Window searched: window name: RegmonClass

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fCGnQI8NyOVempNE9ZDiLo4a.bat

Jump to behavior

Creates or modifies windows services

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Stores files to the Windows start menu directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fCGnQI8NyOVempNE9ZDiLo4a.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KsL40XG8t66m0S5Of0C4oyUR.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SWVG1kL0lKPrPDNIuDtsC6Hl.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JM3MjzRo9Xrv4DzfftyB1LKX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GXMIglGbG00I5ARFrXxsvJMe.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6sF6ZIbUf4h0chyjX8GoXwd.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ItBHWHc2Dke3rldx0tKAbF7p.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wf2Y7baU48C3dW3FJBF7V1xz.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9prsCtSu1ixedNyddiCok65.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jFRXxr0ZTdTrO2gAIbyXtKJf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pgaq2G1DSHP9NlsxZRn6KEd3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X6t18HcV47CVoebsiUGKYMeY.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rKGcYQm6omHTI470fcC9Dqjo.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\r0SkZyWO8ueOR2DvnnqX0LdO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C4SCkfPpc5Eki49C3LrBTaW1.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ba0KxIAmyjscaC5qsgoXzs0V.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C0LuosMTkfAE8oOCsvsONoqL.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8FvWCRXZagW4LvZ9VBvdUlvw.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8akbT027aAu3YRSu28eTlRZK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L1Fp6LJC8oeNx82yQ8HaNeZh.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G4mnbF2IgUQO8LRK0hRh1JPA.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYB9Q527omPhie4YxyK0AaTl.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HRM5JcTqRnJzFhLIQOMPA2b0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YtJAUnkZmQVMGJmU07OqKoTo.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WifTvX4UxKCPeMGMXRc1M82n.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TaRPJPIYLJcrPs8tBUyqkflO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s2Z5jEqquJDZANkdsQ4Hgp3s.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IiDdGDvC9qlHwMmmv9KVuPjU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lolFFwT29thaXbndCiyi1Gh0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b03fQX9sEr1tB3GUUpuboPFD.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DytrOh4KwfZX7ueRB7vHACcm.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AhL9Pe4yq4KobzD7to7MAlC5.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bNXYNwdZfQXFatlkglgMDv3l.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QKcp8E1LpgL090p8CDo4dOji.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WZAIwSiQSTaYqhhMK6bnivxT.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qJSDHpIb2rLfYeC4f96RcRNG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gAtbL0EbZ2xzXkIUg0ETQphY.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m8M3RBBHhpKlTvKP8ki1EJdF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jSrceS8R3jhcsMz71Q2ZCQNY.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dh5jPx9TFTPOlQlVqojM1eIF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WEupKmM8Zz8mO4cSPvw8CcsV.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f5giWka2pZSrItKZYmC5Facc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ATrwg7eMFsPY7QKdMTVLpQh.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3VPa2iMX7P1wQDNVf2z0UHCM.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coRv2XI9jJpO3pnJKiZVajgQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\odbeTBnVOB8zI2mXuiFaoxic.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9ACj6N84rJVzcF6tknrJQJbZ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tAJMb7wqF4DtiHBk40vnusjy.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cKxUnVqhCBmD9MQvwA0lwC0o.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9KzHcsJDGyJnKc3ub5MNXh1H.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FQyiFAcxZpZBBREMrkEfv1M0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hhAlBlBcTrCM4k8GWVNeC1sK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iY0FIZ47raKfM5kVJVsKGvuZ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\i7vF1MY2TVYZqGWhHoW4RRyi.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chw7pkmcZKPpu71RpcTIqa6s.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1ugjoOir0PULN4OxPQoMZSsL.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dxw94SlwtZgqHus5Nl3FSWhO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u17DLWYqQiMfdMKobS0HdqkF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jRQvvubEQ217f0QaYB8jiZhg.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZBhcJR2MdXQtfeNbPU9d8lCa.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S2klfAamodatcjnlQv5oyaKC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c77OcrlGrGXFhu6R8Wa5kcvn.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a87So8hWHJJwWZJwrNtczOp.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07RmZhDspOVmIDekv4pZ1sw6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Z2IVExTILUck9lboEFI5lzR0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cCRWRY3IREeX31JXcxkjAZy.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PesN7ayHiARNdj3VLKEFrqj4.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6LbwaTV4ujaNEJzFimesv9SO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ly8YSN233BjhYclx9Ff4mePv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cP38mgOBNpNfKghWCreFe477.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\H7ST8f8JxfmQRozNoFlWXFlg.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gyZqZK2RetJSDXp6xLPPAoBH.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iDVENAbt1JeeUWymbYb8ncIv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\upHOKOHM3Hw6eJvSyk98G5pt.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oSfDGpZAfb84K9s9oHVMpaER.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YANLa2EvI5t8D1c8pOZTxBmu.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLUGnmdjv91l8d6gMrFKfqeR.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WImPA7XprDYYmlz4GgprXq9C.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mry6IgQEwo1gxMPOLycokamw.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QzUlU4h4IggSGhZ3ewlyu0eE.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mCd52vFOP19CiLf03bQJ3aGc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RkdSdP8M6AbsQtjbHFKFouOF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\q1P64wFhWXy4uVFNjCbfpfGr.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j7zIyIEKrcEUmZdJXud5OHT4.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y0bIckNq2EAC5CDCFRLN2gxe.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RHhVjBfLkPcVxM6xEabaLNaf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IZ90ADwFxAsXRn3hCAoPWMST.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7AAu4i4Xjbt3lCH1tQlkoSpt.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PCyVHH7OhEPGjBuDufk8ls3n.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8Wpj7RupIGuBPhvMGZZrxwYu.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0iPhKq5wf11Y0aoatOPBAFBq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N7BIIDwRMJzSNiRmSErpPUUk.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bN2E0g9kornSSdg8twqvOq8m.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sjUwZKGWo57301v2ETPXunNc.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8KNJ1OZlbLEH3NQfnSTbxW78.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EL8NzB1967doyO9KDeYeMwPK.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rNGQQUUImmduYor0cwnUWGTU.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uC1xCEugxLhN3BH60UJZHNed.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vTXsMkARpxhhs5rs0EMbWawQ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tQEJ9gDUpEZRob5WZSlvcHYb.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6jroj46fwpPnWpKmyAC9Bouv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7FUFuJtU1UFmQ5gnbuiatAG6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M2OnzjSxhpFDFNE4k33CwXMw.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ve7hvYbyzSKYMw1MF1rJFPIo.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xZJpMKXwXIMd4xBdo233jq9Y.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\js8mqz9IRH7C8BSXFvKRXTKo.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VifXkQUBi9Vvu8bnzrbxZAVA.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BKxRJEkQd2QlvHs35deJOx4t.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVOXZauFMZjFtKzx2HZlzp07.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TjS5W8jkMkbD84YoWtZToy2X.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JJsEf3Weq41f5tyCg9FLiUU8.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CBwq75cpSnPQqXkFt0xqXVwF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4v4ZFHuDbBOefqoHoF91la0C.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8W4tQLkvKsCNjVrIhDVVq5rV.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0mDe3ew9VQaAlOpzyRG89Z0x.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I6Lj7OsODqkgHS3j9yoPi9eP.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UHrf3eS9UZj5v6ylNbbd7VpM.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MezViNbzO2W2t8QYl2B1Wn5F.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cxxpPw3s1HdzNStl9efGdTTl.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LtQjEglcwrS0A2mejkCXvgvz.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fFwsfbHkIASWBjKkJi8tMMYy.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zcahb0UDni9GYNLeBHZ326N6.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PjPlYdjzKXySfcDbuM8rBM0W.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HNwfqO3m6A3ILkRyxrVsKL5b.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\V1teOH1FXTouL5jbYSeg1BZB.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lTDqDoswMlyaDctovUVp97xf.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CiqHZCWi4lNb131qvxMzGIFp.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juon39jkWJ8CpHVRs9ZpBzab.bat	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

10_2_00408761

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: jNeaezBuo8.exe PID: 3636, type: MEMORYSTR

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9772000.00000004.00000800.00020000.00000000.sdmp, jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9772000.00000004.00000800.00020000.00000000.sdmp, jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTART TASK: %WSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIES

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Special instruction interceptor: First address: 7FF78D11BE96 instructions caused by: Self-modifying code
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Special instruction interceptor: First address: 7FF6B772BE96 instructions caused by: Self-modifying code
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Special instruction interceptor: First address: 7FF7B4EDBE96 instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory allocated: 1BCA7DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory allocated: 1BCC1720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 7310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 8310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 8480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 9480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 9E20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: AE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: BE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: CE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: DE20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: ACE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: BCE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: E6E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 10B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 11B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 107E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 12DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: B3A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 15DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 18DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 19960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1A960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1E960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1E960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 13E30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 127E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1E960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1E960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: CBA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: CBA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: E360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: E360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 10360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 13360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 19960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: B0A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1A960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1B960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1C960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 1D960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Memory allocated: 10360000 memory reserve \| memory write watch	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599644	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599182	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598962	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598289	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598186	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598066	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597925	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597462	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597346	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597099	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596801	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596242	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596123	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595878	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595623	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595456	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595303	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595160	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595035	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594769	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594635	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594521	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594376	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594206	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594073	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593838	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593705	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593519	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593168	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593061	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592951	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592837	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592731	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592326	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591790	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591483	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591341	Jump to behavior
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Thread delayed: delay time: 300000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6709	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2939	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Window / User API: threadDelayed 5715	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Window / User API: threadDelayed 3741	Jump to behavior
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Window / User API: threadDelayed 356
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2313
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe	Window / User API: threadDelayed 482
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2468
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2093
Source: C:\Users\user\AppData\Local\Temp\u3a8.0.exe	Window / User API: threadDelayed 703

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954283907356.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954036647596.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\H5IdNZJmWFbmVKRjrzSzq_VU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954028507540.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\ARP.EXE	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\DHD6dwSMrsUYWbjq1ydcbpSW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Zqicom_beta\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\YTPkrsvhjPQ50b0uZLG5k6S0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\win10_share_handler.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\OxxNs5ZxnbIXbeNW29miCVdc.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\dxil.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\IFuSUUxv5JW4MS2vMljuonta.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\kRnXkLddLBiDJSWVDNmKe1N5.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\setup294[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\cad54ba5b01423b1af8ec10ab5719d97[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_gx_splash.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Zqicom_beta\UniversalInstaller.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\N6gs4eA7eEYDf77vFjOtaIRK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\nMH85SeKZvjiaQVYVzZz29h4.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u4n8.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3a8.1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\060[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\additional_file0.tmp	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_crashreporter.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\kh9bXd0Y6gx6bLu88nVllBRp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\JHNCg0JIVGbBMVNGHXYgXCki.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\timeSync[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\RDyYTnMDkCW8uIAVGFHTmr8b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\iPGtLilwi2RNQvmM45aBqzX6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954121857980.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\mojo_core.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5vc.1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\hHsrArYG5kPtHHpnTseHq4DF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\fs8UvdH7aqxSxTI4lJXRD5UK.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\appidpolicyconverter.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\assistant_package	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954055427752.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Zqicom_beta\relay.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154331\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Space_bake[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\rules[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\SWxWPnF0GcSxZboClYn5fyJs.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954004632668.dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\OgqrEizuQKrGmbhIuvrJL0FK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\mJELMFYiIOwSEHw1MspR0tMC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Default15_team[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\clnVTfVHLSH8ULUPWfOeVu5Z.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\libEGL.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\tol5HdFnEn6VkJ5rdCz9UsIJ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\notification_helper.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\FXcxjnqlIBGnDayd_pHBiVEI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\L2V4vJn3M0qTTh7N5Bw7rXMb.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\ISydF4SkTNvMTsMw0fHGm6cg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\c7hxt59BnCQTVxfSbyanvm1E.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\installer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\installer_helper_64.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\launcher.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\grabber[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\rxKdbi1mxdhb3gQnRtcL21w6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\eifmHtaYRvEDUaaleUykWOb3.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Opera_109.0.5097.45_Autoupdate_x64[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\dxcompiler.dll	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\hh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Kug8B5xZ6LzxYK18JAPEOCZZ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\6462c272[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OhUCrCHnpMj4vCBH2WFCAm31.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_elf.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\8zhaIaqIg3EHTANT2VC891Qh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AtTxCqcCWwN4uzHaU4nBaNLb.exe	Jump to dropped file
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954066687816.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_autoupdate.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\opera_package	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Assistant_109.0.5097.45_Setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSDE38.tmp\Install.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\opera_browser.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Opera\109.0.5097.45\win8_importing.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\kX1qCrGX0yxVsyVKBPTFPIvC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\hJY1ofwqBcbhUe2B304qYJQu.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\tP5pTf0jS1kLhyjqmBv_VrrP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\assistant\Assistant_109.0.5097.45_Setup.exe_sfx.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ej7uIDPLu0LjdGuJMOYuukWH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\fqT8tD2oUyudVPlyITmN6DQI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\123p[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\j0muh7S3p0fFGFbAmRNzniXR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\DowpWy0co4Mzz9d9uodrpoCS.exe	Jump to dropped file
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954000965480.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\UZUmS3UT5nPu2Y8UellaIFKd.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\09JXLFzEJOC5kWQEY7XIw75i.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Opera_installer_2404200954011947204.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	API coverage: 8.4 %
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	API coverage: 8.4 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1472	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 2568	Thread sleep count: 5715 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 2568	Thread sleep count: 3741 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599644s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599515s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599296s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599182s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -599078s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598962s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598749s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598624s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598514s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598289s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598186s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -598066s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597925s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597576s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597462s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597346s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -597099s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596948s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596801s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596242s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596123s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -596003s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595878s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595744s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595623s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595456s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595303s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595160s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -595035s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 6112	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594886s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594769s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594635s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594521s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594376s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594206s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -594073s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593838s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593705s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593519s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593280s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593168s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -593061s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592951s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592837s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592731s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592617s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592499s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592326s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -592201s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -591998s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -591790s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -591670s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -591483s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5708	Thread sleep time: -591341s >= -30000s	Jump to behavior
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe TID: 7288	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe TID: 8012	Thread sleep time: -71200s >= -30000s
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe TID: 4112	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe TID: 8052	Thread sleep time: -300000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7568	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7800	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe TID: 2824	Thread sleep count: 482 > 30
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe TID: 2824	Thread sleep time: -2892000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8388	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8388	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2956	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8820	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8820	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3192	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8156	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\u3a8.0.exe TID: 4616	Thread sleep count: 703 > 30
Source: C:\Users\user\AppData\Local\Temp\u3a8.0.exe TID: 4616	Thread sleep time: -4218000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\u3a8.0.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\u3a8.0.exe	Last function: Thread delayed

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0041D9E1 FindFirstFileExA,	10_2_0041D9E1
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036FDC48 FindFirstFileExA,	10_2_036FDC48
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	18_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	18_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	18_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	18_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	18_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	18_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_036627D7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_036627D7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365D7A7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_0365D7A7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03661DE7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	18_2_03661DE7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365DDC7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	18_2_0365DDC7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365B877 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	18_2_0365B877
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03662457 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	18_2_03662457
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365D427 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	18_2_0365D427
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03651827 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	18_2_03651827
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_036618B7 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	18_2_036618B7
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0041D9E1 FindFirstFileExA,	24_2_0041D9E1
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035BDC48 FindFirstFileExA,	24_2_035BDC48

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Code function: 18_2_00401120 GetSystemInfo,ExitProcess,

18_2_00401120

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599644	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599515	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599296	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599182	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 599078	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598962	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598749	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598624	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598514	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598289	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598186	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 598066	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597925	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597576	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597462	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597346	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 597099	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596948	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596801	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596242	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596123	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 596003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595878	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595744	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595623	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595456	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595303	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595160	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 595035	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594886	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594769	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594635	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594521	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594376	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594206	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 594073	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593838	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593705	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593519	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593168	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 593061	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592951	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592837	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592731	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592617	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592499	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592326	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 592201	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591998	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591790	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591670	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591483	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Thread delayed: delay time: 591341	Jump to behavior
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Thread delayed: delay time: 300000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstart task: %wstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: sbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--P
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: psapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= p
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: STAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00 %+v m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3ca
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie$WINDIR% CPU (%03d %s%v: %#x, goid=, j0 = -nologo/delete19531252.5.4.32.5.
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: ameNewaPINGPOSTPathQEMUROOTH
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: ersexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindo
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099761401.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2097054882.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000003.2099984461.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, u4n8.0.exe, 00000012.00000002.3427480014.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp, qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000002.2675239063.0000000001D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: popcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: 11VBoxSFWINDIRWD
Source: qVgCKtvfJNb4NfGV6kK2PcSn.exe, 00000018.00000002.2675239063.0000000001D87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %SystemRoot%\system32\NLAapi.dllHyper-V RAWX
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: pclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: sse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BE
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: LycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd acceptactivechan<-closedcookiedirectdo
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: aryvmcixn-SR-%W
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s\|%s%s\|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: main.isRunningInsideVMWare
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: 4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: rSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)
Source: u4n8.0.exe, 00000012.00000002.3427320111.0000000001B3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:**@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: tVMSrvcs\|!
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: 3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: ermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: yreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdo
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: sse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.2500
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: svchost.exe, 00000015.00000003.2079278164.0000022498844000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthorities
Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004790000.00000004.00001000.00020000.00000000.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3320561795.0000000000400000.00000040.00000001.01000000.00000009.sdmp, OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000003.2053288422.0000000004800000.00000004.00001000.00020000.00000000.sdmp, 7h3MwjMZ6vEaBgd6kdodu3Pw.exe, 00000019.00000003.2112599187.00000000047F0000.00000004.00001000.00020000.00000000.sdmp, TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ><'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: vmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ... exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--D
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: eUnprocessable EntityWinmonProcessMonitor\\.\pipe\VBoxTrayIPC^.*\._Ctype_uint8_t$asn1: syntax error: assigned stream ID 0bad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpcertificate requiredchan send (nil chan)close of nil channe
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: rdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying=
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: potency-Key\System32\drivers\\.\VBoxMiniRdrDN os/exec.Command(^.*\._Ctype_char$bad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecode server: %wdecryption faileddownload fi
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
Source: KB7dlYN3AfN1oeAtjoqEId5Q.exe, 0000000A.00000002.2684591676.0000000001D1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: \\.\HGFS`
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3356024446.0000000001E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: lUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Window
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: PalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe, 0000000C.00000002.3370822127.0000000003A09000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: vmhgfsP
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: jNeaezBuo8.exe, 00000000.00000002.3054104711.000001BCA9B98000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: bmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: ultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-languageadvertise erroragent is closedapplication/pdfasyncpreemptoffbad certificatebad trailer keybefore EfiGuardclass registredclient finishedcouldn't set AVcouldn't set sbdecode hash: %wdo
Source: svchost.exe, 00000013.00000002.2391302711.000001C3E0202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: TXqT6X30DuHmvWeCAIdAJgkl.exe, 0000001A.00000003.2105064289.0000000004870000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (a
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: swsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAccepted
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservi
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: ddrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.)
Source: OOMSHFu8BfhOzlMYdVgLGKxh.exe	Binary or memory string: rayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\Def

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe

System information queried: ModuleInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	Process queried: DebugObjectHandle

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

18_2_00404540

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_00409A73

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

18_2_00416240

Contains functionality to read the PEB

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_004139E7 mov eax, dword ptr fs:[00000030h]	10_2_004139E7
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_01C5F033 push dword ptr fs:[00000030h]	10_2_01C5F033
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E092B mov eax, dword ptr fs:[00000030h]	10_2_036E092B
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E0D90 mov eax, dword ptr fs:[00000030h]	10_2_036E0D90
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036F3C4E mov eax, dword ptr fs:[00000030h]	10_2_036F3C4E
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Code function: 12_2_03A090A3 push dword ptr fs:[00000030h]	12_2_03A090A3
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Code function: 12_2_03F1092B mov eax, dword ptr fs:[00000030h]	12_2_03F1092B
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Code function: 12_2_03F10D90 mov eax, dword ptr fs:[00000030h]	12_2_03F10D90
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00415DC0 mov eax, dword ptr fs:[00000030h]	18_2_00415DC0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_01B4F483 push dword ptr fs:[00000030h]	18_2_01B4F483
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0365092B mov eax, dword ptr fs:[00000030h]	18_2_0365092B
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03650D90 mov eax, dword ptr fs:[00000030h]	18_2_03650D90
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03666027 mov eax, dword ptr fs:[00000030h]	18_2_03666027
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_004139E7 mov eax, dword ptr fs:[00000030h]	24_2_004139E7
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_01D1F033 push dword ptr fs:[00000030h]	24_2_01D1F033
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035A092B mov eax, dword ptr fs:[00000030h]	24_2_035A092B
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035A0D90 mov eax, dword ptr fs:[00000030h]	24_2_035A0D90
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035B3C4E mov eax, dword ptr fs:[00000030h]	24_2_035B3C4E

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_00420C1A GetProcessHeap,

10_2_00420C1A

Enables debug privileges

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process token adjusted: Debug
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process token adjusted: Debug
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe	Process token adjusted: Debug
Source: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00409A73
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_00409C06 SetUnhandledExceptionFilter,	10_2_00409C06
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00409EBE
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0041073B
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036EA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_036EA125
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036F09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_036F09A2
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E9E6D SetUnhandledExceptionFilter,	10_2_036E9E6D
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: 10_2_036E9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_036E9CDA
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00419DC7 SetUnhandledExceptionFilter,	18_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03667644 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_03667644
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03667DB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_03667DB5
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_0366A02E SetUnhandledExceptionFilter,	18_2_0366A02E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00409A73
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_00409C06 SetUnhandledExceptionFilter,	24_2_00409C06
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00409EBE
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_0041073B
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035AA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_035AA125
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035B09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_035B09A2
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035A9E6D SetUnhandledExceptionFilter,	24_2_035A9E6D
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: 24_2_035A9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_035A9CDA

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jNeaezBuo8.exe" -Force
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jNeaezBuo8.exe" -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 protect: page execute and read and write

Jump to behavior

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7CBA2C0
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B5587026
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtQuerySystemInformation: Direct from: 0xE009CFE878
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtProtectVirtualMemory: Direct from: 0x7FF8A3118735
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtSetInformationThread: Indirect: 0x7FF78D35F367
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtSetInformationThread: Indirect: 0x7FF7B511F367
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtSetInformationThread: Indirect: 0x7FF6B796F367
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B552EB66
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtQuerySystemInformation: Indirect: 0x7FF78D2FDF84
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtProtectVirtualMemory: Direct from: 0xA000000000
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D6BDECF
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7B0FFD9
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B551D48B
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A3118054
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7AF858A
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7D6BE9D
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtQueryInformationProcess: Indirect: 0x7FF78D37AB07
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtAllocateVirtualMemory: Direct from: 0xA0A76ACB
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtQuerySystemInformation: Indirect: 0x7FF6B790DF84
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtClose: Direct from: 0x1
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D75BE9D
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtProtectVirtualMemory: Direct from: 0x3
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtQuerySystemInformation: Indirect: 0x7FF7B50BDF84
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtQueryInformationProcess: Indirect: 0x7FF6B798AC73
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7AF7E3D
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B52A2C69
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtAllocateVirtualMemory: Direct from: 0x7FF8A3118875
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B5258D9D
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtQueryInformationProcess: Indirect: 0x7FF7B513AC73
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D6BCD9B
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtProtectVirtualMemory: Direct from: 0x252ADB4D2F0
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B5585BEB
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D4E7E3D
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7AF2C69
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D76E31D
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D4B32D7
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtQuerySystemInformation: Direct from: 0x252ADB4D0F0
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtQueryVolumeInformationFile: Direct from: 0xE009CFEE38
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D75D7E8
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B557A628
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtQueryInformationProcess: Indirect: 0x7FF78D37AC73
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7D753EE
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtQueryInformationProcess: Indirect: 0x7FF7B513AB07
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7D7E31D
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7AC32D7
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtQueryInformationProcess: Indirect: 0x7FF6B798AB07
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7D77D0F
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B52BDB47
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B547DECF
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B529C1FC
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D7BA628
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7D75B74
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B546A2C0
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D498D9D
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	NtCreateFile: Direct from: 0x7FF8A31078EC
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B551C12D
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7DCA628
Source: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe	NtProtectVirtualMemory: Direct from: 0x7FF7B55125AC
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7D5CAE6
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	NtProtectVirtualMemory: Direct from: 0x7FF78D4FC9E6
Source: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe	NtProtectVirtualMemory: Direct from: 0x7FF6B7AA8D9D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base address: 400000

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		18_2_00415D00
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: 18_2_03665F67 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		18_2_03665F67

Writes to foreign memory regions

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 404000	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 406000	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: F5F008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\jNeaezBuo8.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe "C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe "C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe "C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe "C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe "C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe "C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe "C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe "C:\Users\user\Pictures\cCuDz5Qaw0neUcm6E5xOvfYH.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe "C:\Users\user\Pictures\ayhJ6kQ8IqoRz2vLrcRuSLzw.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe "C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe "C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe "C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe "C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe" --silent --allusers=0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe "C:\Users\user\Pictures\tBkWHcKqBZ65lLNmFWjY4rC6.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c6sF6ZIbUf4h0chyjX8GoXwd.bat" "	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 436 -p 3636 -ip 3636
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3636 -s 1360
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe "C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe"
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Process created: C:\Users\user\AppData\Local\Temp\u4n8.0.exe "C:\Users\user\AppData\Local\Temp\u4n8.0.exe"
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x258,0x6c5be1d0,0x6c5be1dc,0x6c5be1e8
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\user\AppData\Local\Programs\Opera" --profile-folder --language=en-GB --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5480 --package-dir-prefix="C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240420115402" --session-guid=7c8aa1aa-7a32-47df-9a77-320b42f4c511 --server-tracking-blob="YjU1MjY3ZTRkZDgxZTBkNTJhNmUwZWY1OWIyZGNlZTljZjU0OTA1ZTA2Yzc0MGEwZGRjN2NiM2U1NjA4MjkxMzp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fMTIzIiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTAiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEzNjA2ODM4LjA0NTIiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzEyMyIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMzUyYWJiN2YtMWFlNC00NDNlLTgxNWEtYzU1NDc1YTYyOGE3In0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9C05000000000000
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b94e1d0,0x6b94e1dc,0x6b94e1e8
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: C:\Users\user\AppData\Local\Temp\u5vc.0.exe "C:\Users\user\AppData\Local\Temp\u5vc.0.exe"
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe "C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe"
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\7h3MwjMZ6vEaBgd6kdodu3Pw.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\TXqT6X30DuHmvWeCAIdAJgkl.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x2ac,0x2bc,0x6afce1d0,0x6afce1dc,0x6afce1e8
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe "C:\Users\user\AppData\Local\ZUXB5CkDapzE7efrdUFhJ892.exe"
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Process created: C:\Users\user\AppData\Local\Temp\u3a8.0.exe "C:\Users\user\AppData\Local\Temp\u3a8.0.exe"
Source: C:\Users\user\Pictures\bOYJAXg8qqrEFblwExl79wvd.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\KtJVXw17tLyQAhIxYU41jVqs.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\Y19ex8vzCbShkGSA8eqfhDzt.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\eYOrtx4XT9Xlr5FknYeLBgkD.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe c:\users\user\pictures\09jxlfzejoc5kwqey7xiw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x258,0x6c5be1d0,0x6c5be1dc,0x6c5be1e8
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "c:\users\user\pictures\09jxlfzejoc5kwqey7xiw75i.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="c:\users\user\appdata\local\programs\opera" --profile-folder --language=en-gb --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5480 --package-dir-prefix="c:\users\user\appdata\local\temp\.opera\opera installer temp\opera_package_20240420115402" --session-guid=7c8aa1aa-7a32-47df-9a77-320b42f4c511 --server-tracking-blob="yju1mjy3ztrkzdgxztbkntjhnmuwzwy1owiyzgnlztljzju0ota1zta2yzc0mgewzgrjn2nim2u1nja4mjkxmzp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijp7im5hbwuioijvcgvyysj9lcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cy8/dxrtx21lzgl1bt1hcgimdxrtx3nvdxjjzt1ta3qmdxrtx2nhbxbhawduptc2n19fmtiziiwic3lzdgvtijp7inbsyxrmb3jtijp7imfyy2gioij4odzfnjqilcjvchn5cyi6ildpbmrvd3milcjvchn5cy12zxjzaw9uijoimtailcjwywnrywdlijoirvhfin19lcj0aw1lc3rhbxaioiixnzeznja2odm4lja0ntiilcj1dg0ionsiy2ftcgfpz24ioii3njdfxzeymyisim1lzgl1bsi6imfwyiisinnvdxjjzsi6im1rdcj9lcj1dwlkijoimzuyywjin2ytmwflnc00ndnlltgxnwetyzu1ndc1ytyyoge3in0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9c05000000000000
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe c:\users\user\pictures\09jxlfzejoc5kwqey7xiw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b94e1d0,0x6b94e1dc,0x6b94e1e8
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe c:\users\user\pictures\zk4cnpe2v25jrp4qnsgwaeq7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x2ac,0x2bc,0x6afce1d0,0x6afce1dc,0x6afce1e8
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe c:\users\user\pictures\09jxlfzejoc5kwqey7xiw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x29c,0x2a0,0x2a4,0x278,0x258,0x6c5be1d0,0x6c5be1dc,0x6c5be1e8
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe "c:\users\user\pictures\09jxlfzejoc5kwqey7xiw75i.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="c:\users\user\appdata\local\programs\opera" --profile-folder --language=en-gb --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5480 --package-dir-prefix="c:\users\user\appdata\local\temp\.opera\opera installer temp\opera_package_20240420115402" --session-guid=7c8aa1aa-7a32-47df-9a77-320b42f4c511 --server-tracking-blob="yju1mjy3ztrkzdgxztbkntjhnmuwzwy1owiyzgnlztljzju0ota1zta2yzc0mgewzgrjn2nim2u1nja4mjkxmzp7imnvdw50cnkioijvuyisimluc3rhbgxlcl9uyw1lijoit3blcmftzxr1cc5leguilcjwcm9kdwn0ijp7im5hbwuioijvcgvyysj9lcjxdwvyesi6ii9vcgvyys9zdgfibguvd2luzg93cy8/dxrtx21lzgl1bt1hcgimdxrtx3nvdxjjzt1ta3qmdxrtx2nhbxbhawduptc2n19fmtiziiwic3lzdgvtijp7inbsyxrmb3jtijp7imfyy2gioij4odzfnjqilcjvchn5cyi6ildpbmrvd3milcjvchn5cy12zxjzaw9uijoimtailcjwywnrywdlijoirvhfin19lcj0aw1lc3rhbxaioiixnzeznja2odm4lja0ntiilcj1dg0ionsiy2ftcgfpz24ioii3njdfxzeymyisim1lzgl1bsi6imfwyiisinnvdxjjzsi6im1rdcj9lcj1dwlkijoimzuyywjin2ytmwflnc00ndnlltgxnwetyzu1ndc1ytyyoge3in0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=9c05000000000000
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Process created: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe c:\users\user\pictures\09jxlfzejoc5kwqey7xiw75i.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x298,0x2a8,0x2ac,0x274,0x2b0,0x6b94e1d0,0x6b94e1dc,0x6b94e1e8
Source: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe	Process created: C:\Users\user\Pictures\ZK4CNPe2v25Jrp4qNSGWaEQ7.exe c:\users\user\pictures\zk4cnpe2v25jrp4qnsgwaeq7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\roaming\opera software\opera stable\crash reports" "--crash-count-file=c:\users\user\appdata\roaming\opera software\opera stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=stable --annotation=plat=win32 --annotation=prod=operadesktop --annotation=ver=109.0.5097.45 --initial-client-data=0x2b0,0x2b4,0x2b8,0x2ac,0x2bc,0x6afce1d0,0x6afce1dc,0x6afce1e8

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_00409D1B cpuid

10_2_00409D1B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_00420063
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_004208CE
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_004170F1
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_0042099B
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_004202DB
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_00420326
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_004203C1
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_0042044E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_004174E4
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_0042069E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_004207C7
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_036F7358
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_03700B35
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_03700A2E
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_037002CA
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_03700903
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_03700905
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetLocaleInfoW,	10_2_036F774B
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_03700628
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_03700542
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: EnumSystemLocalesW,	10_2_0370058D
Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_03700C02
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	18_2_00414570
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	18_2_036647D7
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_00420063
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_004208CE
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_004170F1
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_0042099B
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_004202DB
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_00420326
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_004203C1
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	24_2_0042044E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_004174E4
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_0042069E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_004207C7
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_035B7358
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_035C0B35
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	24_2_035C0A2E
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	24_2_035C02CA
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_035C0905
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_035C0903
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetLocaleInfoW,	24_2_035B774B
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_035C0628
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_035C0542
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: EnumSystemLocalesW,	24_2_035C058D
Source: C:\Users\user\Pictures\qVgCKtvfJNb4NfGV6kK2PcSn.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	24_2_035C0C02

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\jNeaezBuo8.exe	Queries volume information: C:\Users\user\Desktop\jNeaezBuo8.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Pictures\09JXLFzEJOC5kWQEY7XIw75i.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404201154021\installer_prefs_include.json VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\u5vc.0.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Qg_Appv5.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\d73a64c2 VolumeInformation

Source: C:\Users\user\Pictures\KB7dlYN3AfN1oeAtjoqEId5Q.exe

Code function: 10_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Code function: 18_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

18_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Code function: 18_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

18_2_004144B0

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{615FC77F-E2C6-42A4-9206-B716C8DC7509}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1

Disables UAC (registry)

Source: C:\Users\user\Desktop\jNeaezBuo8.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe

Registry value created: Exclusions_Extensions 1

Modifies Group Policy settings

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

Adds / modifies Windows certificates

Source: C:\Windows\System32\WerFault.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Pictures\oV9qcl4WOt6pr8Qw3ls1WbNr.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\user\Pictures\OOMSHFu8BfhOzlMYdVgLGKxh.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Glupteba

Source: Yara match	File source: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.TXqT6X30DuHmvWeCAIdAJgkl.exe.4870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.oV9qcl4WOt6pr8Qw3ls1WbNr.exe.4790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.OOMSHFu8BfhOzlMYdVgLGKxh.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oV9qcl4WOt6pr8Qw3ls1WbNr.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OOMSHFu8BfhOzlMYdVgLGKxh.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TXqT6X30DuHmvWeCAIdAJgkl.exe PID: 7732, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000003.2253388609.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3427909101.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2168557944.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3624736344.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3425878817.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2076938589.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3623571026.0000000000400000.00000040.00000001.01000000.0000001E.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000021.00000002.3624937140.0000000001C64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3427480014.0000000001B64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4n8.0.exe PID: 7332, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000003.2253388609.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3427909101.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2168557944.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3624736344.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3425878817.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2076938589.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3623571026.0000000000400000.00000040.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4n8.0.exe PID: 7332, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: oV9qcl4WOt6pr8Qw3ls1WbNr.exe, 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: git.dev.local/legacy/desktop/electrum.NewClient
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3427480014.0000000001B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: 09JXLFzEJOC5kWQEY7XIw75i.exe, 0000000E.00000000.2054530852.000000000091A000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: ) for Ethereum-based blockchains and cryptographically secured digital assets. The in-app wallet service is provided by our affiliate, Blueboard Limited, which is solely responsible for its operation. Use of the wallet service is subject to Blueboard
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u4n8.0.exe, 00000012.00000002.3425878817.0000000000549000.00000040.00000001.01000000.00000012.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Pictures\DAzvKQG6Ksqk3AfqsZxaFtPP.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\u4n8.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: u4n8.0.exe PID: 7332, type: MEMORYSTR

Remote Access Functionality

Yara detected Glupteba

Source: Yara match	File source: 12.2.OOMSHFu8BfhOzlMYdVgLGKxh.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.TXqT6X30DuHmvWeCAIdAJgkl.exe.4870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.oV9qcl4WOt6pr8Qw3ls1WbNr.exe.4790000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.OOMSHFu8BfhOzlMYdVgLGKxh.exe.4800000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.2053143203.0000000004BD2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2105064289.0000000004CB2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3320561795.0000000000843000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2053288422.0000000004C42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: oV9qcl4WOt6pr8Qw3ls1WbNr.exe PID: 3580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: OOMSHFu8BfhOzlMYdVgLGKxh.exe PID: 2828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TXqT6X30DuHmvWeCAIdAJgkl.exe PID: 7732, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000003.2253388609.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3427909101.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2168557944.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3624736344.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3425878817.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2076938589.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3623571026.0000000000400000.00000040.00000001.01000000.0000001E.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000021.00000002.3624937140.0000000001C64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3427480014.0000000001B64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4n8.0.exe PID: 7332, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.3.u4n8.0.exe.3680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.1bd0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 47.3.u3a8.0.exe.1ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.u5vc.0.exe.1c00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.u4n8.0.exe.3650e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.u5vc.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002F.00000003.2253388609.0000000001CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3427909101.0000000003650000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2168557944.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3624736344.0000000001BD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3425878817.0000000000400000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2076938589.0000000003680000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.3623571026.0000000000400000.00000040.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u4n8.0.exe PID: 7332, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\YzypULQuittVyIJ8wj4JdBvq.exe, type: DROPPED

Windows Analysis Report
jNeaezBuo8.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Bitcoin Miner

Compliance

Change of critical system settings

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

ID:	1429049
Product:	CloudBasic
Start time:	11:53:08
Start date:	20.04.2024
Sample:	jNeaezBuo8.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	dfe244414c8461175241ce54707eb6b6
SHA1:	1c94e583b7058d01dad42d56ef5ddf17b64b5778
SHA256:	6b7baa1db0d2ed5c12dfb8f289449384ff821110f9b490379c5fcd9190090f4e
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report jNeaezBuo8.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Bitcoin Miner

Compliance

Change of critical system settings

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
jNeaezBuo8.exe

Malware Threat Intel
Provided by