Windows Analysis Report
OnLine_Install_Dialog_UI_SSL.exe

Overview

General Information

Sample name:	OnLine_Install_Dialog_UI_SSL.exe
Analysis ID:	1432289
MD5:	74db9f552ccae0af3640851c6960f079
SHA1:	44cc1e1e974e90982146719efd496c9721465a4a
SHA256:	c5494d160a1b3cdff381623216bdcc8aef9fc5a18565fd1a679a4e2eb8a7c056
Infos:

Detection

Score:	28
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Installs new ROOT certificates

Modifies the windows firewall

PE file has a writeable .text section

Uses netsh to modify the Windows network and firewall settings

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Scripting/CommandLine Process Spawned Regsvr32

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution From GUID Like Folder Names

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004542BF __EH_prolog3_GS,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,CryptHashData,CryptSignHashW,CryptSignHashW,CryptSignHashW,GetLastError,GetLastError,WriteFile,WriteFile,WriteFile,	0_2_004542BF
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004546DD __EH_prolog3_GS,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,CryptHashData,GetLastError,_memmove,GetLastError,CryptVerifySignatureW,	0_2_004546DD
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00454C59 CryptReleaseContext,	0_2_00454C59
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00454C91 CryptDestroyHash,	0_2_00454C91
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00454CAB CryptDestroyKey,	0_2_00454CAB
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00454DDC CryptExportKey,	0_2_00454DDC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045505F CryptGetHashParam,GetLastError,CryptGetHashParam,	0_2_0045505F
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045521D CryptHashData,	0_2_0045521D
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004552A9 CryptImportKey,	0_2_004552A9
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00455333 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,	0_2_00455333
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045564F CoCreateGuid,StringFromGUID2,_wcsncpy,CryptAcquireContextW,CryptCreateHash,	0_2_0045564F
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004559DE CryptGetHashParam,GetLastError,	0_2_004559DE
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004559E0 CryptGetHashParam,GetLastError,CryptSetHashParam,	0_2_004559E0
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00455A6D CryptAcquireContextW,CryptReleaseContext,CryptDestroyHash,	0_2_00455A6D
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00455DCC SetFilePointer,CryptSignHashW,GetLastError,CryptSignHashW,WriteFile,WriteFile,WriteFile,SetFilePointer,	0_2_00455DCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00455D9E CryptVerifySignatureW,GetLastError,	0_2_00455D9E

Uses 32bit PE files

Source: OnLine_Install_Dialog_UI_SSL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmp			Jump to behavior

Source: OnLine_Install_Dialog_UI_SSL.exe

Static PE information: certificate valid

Source:	Binary string: E:\Project_Test\CloseOZWebLauncher\Release\CloseOZWebLauncher.pdb source: CloseOZWebLauncher.exe, 00000009.00000000.1733726897.0000000001078000.00000002.00000001.01000000.0000000D.sdmp, CloseOZWebLauncher.exe, 00000009.00000002.1739712006.0000000001078000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLBridgeForUAC\Release\OZWLBridgeForUAC.pdb source: OZWD629.tmp.1.dr
Source:	Binary string: E:\Project_Test\CloseOZWebLauncher\Release\CloseOZWebLauncher.pdbP/ source: CloseOZWebLauncher.exe, 00000009.00000000.1733726897.0000000001078000.00000002.00000001.01000000.0000000D.sdmp, CloseOZWebLauncher.exe, 00000009.00000002.1739712006.0000000001078000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb source: OnLine_Install_Dialog_UI_SSL.exe, setup.exe0.0.dr
Source:	Binary string: C:\Users\sg0216986\Documents\Visual Studio 2010\Projects\Json4DotNet\System.Net.Json\obj\Release\System.Net.Json.pdb source: OZWebLauncher.exe, 00000021.00000002.2920008536.0000000007902000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLService\Release\OZWLService.pdb source: OZWLService.exe, 0000001E.00000000.2117884411.0000000000BF8000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: d:\OZSource80\OZTransferX\Transfer_Control\Release\ZTransferLib.pdbT4 source: ZTrD718.tmp.1.dr
Source:	Binary string: D:\Samsung_Fire\CloseOZWLBridge\Release\CloseOZWLBridge.pdbP/2 source: CloseOZWLBridge.exe, 00000008.00000002.1732889732.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp, CloseOZWLBridge.exe, 00000008.00000000.1731707763.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLBridgeForUAC\Release\OZWLBridgeForUAC.pdb\oW4 source: OZWD629.tmp.1.dr
Source:	Binary string: d:\OZSource80\OZTransferX\Transfer_Control\Release\ZTransferLib.pdb source: ZTrD718.tmp.1.dr
Source:	Binary string: d:\ozsource\misc\OZWebLauncher\OZWebLauncher\obj\x86\Release\OZWebLauncher.pdb source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000000.2126414035.0000000000BC2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\ozsource\misc\OZWebLauncher\WebSockets\obj\Release\WebSockets.pdb source: OZWebLauncherUtil.exe, 0000001F.00000002.2915164601.0000000004322000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_isres_0x0409.pdb source: _is4AD9.tmp.1.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: setup.exe, 00000001.00000003.1667559709.0000000000886000.00000004.00000020.00020000.00000000.sdmp, ISBEW64.exe, 00000002.00000002.2213567077.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000002.00000000.1686921318.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000003.00000002.1692670949.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000003.00000000.1687461278.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000004.00000002.1693203562.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000004.00000000.1687911327.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000005.00000002.1693902657.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000005.00000000.1689065493.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000006.00000002.1694512877.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000006.00000000.1693173144.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000007.00000000.1730363712.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000007.00000002.2210041589.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\Samsung_Fire\CloseOZWLBridge\Release\CloseOZWLBridge.pdb source: CloseOZWLBridge.exe, 00000008.00000002.1732889732.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp, CloseOZWLBridge.exe, 00000008.00000000.1731707763.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: d:\ozsource\misc\OZWebLauncher\OZWebLauncher\obj\x86\Release\OZWebLauncher.pdbls source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000000.2126414035.0000000000BC2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWebLauncherUtil\obj\x86\Release\OZWebLauncherUtil.pdb source: OZWebLauncherUtil.exe, 0000001F.00000000.2118514832.0000000000DC2000.00000002.00000001.01000000.00000012.sdmp, OZWD559.tmp.1.dr

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00425659 __EH_prolog3_GS,FindFirstFileW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrcatW,SysStringLen,lstrcatW,GetFileAttributesW,lstrcatW,lstrcmpiW,lstrcpynW,lstrcmpiW,lstrcmpiW,SysStringLen,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,DeleteFileW,lstrcpyW,	0_2_00425659
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0042C966 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,	0_2_0042C966
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00451BC7 __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW,	0_2_00451BC7
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001F11F2 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	8_2_001F11F2
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F911F2 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	9_2_00F911F2

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\	Jump to behavior

Source: OnLine_Install_Dialog_UI_SSL.exe, setup.exe0.0.dr	String found in binary or memory: http://=0x%04x.iniMS
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MainWindow.xamld
Source: setup.exe, 00000001.00000002.2438979471.000000000083E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2239128364.000000000083D000.00000004.00000020.00020000.00000000.sdmp, data1.hdr.0.dr	String found in binary or memory: http://deviis4.installshield.com/NetNirvana/
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000022.00000003.2136483818.000002C55364D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000022.00000003.2136483818.000002C553691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/MainWindow.xaml
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.baml
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.bamld
Source: ZTrD718.tmp.1.dr	String found in binary or memory: http://https://.././SOFTWARE
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://www.flexerasoftware.com0
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: OnLine_Install_Dialog_UI_SSL.exe, setup.ini.1.dr, setup.exe0.0.dr	String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: setup.exe, 00000001.00000003.2234591613.000000000297A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2212449812.0000000002979000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2240388417.00000000029C5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.000000000297A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.8T)
Source: _is4AD9.tmp.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: _is4AD9.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000022.00000003.2136483818.000002C553672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000022.00000003.2136483818.000002C5536F4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000022.00000003.2136483818.000002C5536E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000022.00000003.2136483818.000002C553672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe

Code function: 8_2_0021E34D GetClientRect,GetAsyncKeyState,SendMessageW,

8_2_0021E34D

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001C815B IsWindow,SendMessageW,GetCapture,SendMessageW,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	8_2_001C815B
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CC169 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	8_2_001CC169
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_00224794 GetWindowRect,KillTimer,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	8_2_00224794
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001C9526 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	8_2_001C9526
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_00219612 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageW,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowPos,SendMessageW,_memset,SendMessageW,GetParent,	8_2_00219612
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001F3A33 SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	8_2_001F3A33
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FDC1D1 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	9_2_00FDC1D1
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6C169 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	9_2_00F6C169
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6815B IsWindow,SendMessageW,GetCapture,SendMessageW,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	9_2_00F6815B
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FC4794 GetWindowRect,KillTimer,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	9_2_00FC4794
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F69526 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	9_2_00F69526
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FB9612 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageW,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowPos,SendMessageW,_memset,SendMessageW,GetParent,	9_2_00FB9612
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F93A33 SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	9_2_00F93A33

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\forD4C5.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\forcscert.pfx (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004552A9 CryptImportKey,		0_2_004552A9
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00455333 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,		0_2_00455333

System Summary

PE file has a writeable .text section

Source: ISSetup.dll.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSetup.dll.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isr4AC8.tmp.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSC3E7.tmp.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00447C87 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_00447C87

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Windows\ZTUE4B7.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Windows\ZTUE4B7.tmp	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Deletes files inside the Windows folder

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

File deleted: C:\Windows\ZTUE4B7.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047C0B0	0_2_0047C0B0
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047022B	0_2_0047022B
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004685CF	0_2_004685CF
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047C619	0_2_0047C619
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0049CA69	0_2_0049CA69
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00490B40	0_2_00490B40
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047CB89	0_2_0047CB89
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047D4E8	0_2_0047D4E8
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047D8A7	0_2_0047D8A7
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004719F6	0_2_004719F6
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00475CA1	0_2_00475CA1
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0049DEC4	0_2_0049DEC4
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047E023	0_2_0047E023
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045E9CF	0_2_0045E9CF
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0044ECB8	0_2_0044ECB8
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045EEC3	0_2_0045EEC3
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00463190	0_2_00463190
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045F2DB	0_2_0045F2DB
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00493630	0_2_00493630
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045F710	0_2_0045F710
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045FB45	0_2_0045FB45
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047FD1C	0_2_0047FD1C
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D9431AD0	2_2_00007FF7D9431AD0
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D9434230	2_2_00007FF7D9434230
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D943D308	2_2_00007FF7D943D308
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D94442FC	2_2_00007FF7D94442FC
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D943F11C	2_2_00007FF7D943F11C
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D9434E10	2_2_00007FF7D9434E10
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D943CC64	2_2_00007FF7D943CC64
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D943FCE4	2_2_00007FF7D943FCE4
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001BE9F4	8_2_001BE9F4
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002BEB98	8_2_002BEB98
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002B8D35	8_2_002B8D35
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_0021B161	8_2_0021B161
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002B1DB5	8_2_002B1DB5
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_00259FCF	8_2_00259FCF
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F5E9F4	9_2_00F5E9F4
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_0105EB98	9_2_0105EB98
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FDAA29	9_2_00FDAA29
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_01058D35	9_2_01058D35
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FBB161	9_2_00FBB161
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FD9BD7	9_2_00FD9BD7
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_01051DB5	9_2_01051DB5
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FF9FCF	9_2_00FF9FCF

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: String function: 01050F8F appears 289 times
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: String function: 01053438 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: String function: 002B0F8F appears 251 times
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: String function: 002B3438 appears 38 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 00423AD2 appears 41 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 0045B8C9 appears 297 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 00459F9F appears 77 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 0045B8FF appears 56 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 0045B896 appears 225 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 004091B8 appears 102 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 00466610 appears 42 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 00459FCD appears 56 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 0045A2FE appears 124 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 0041AE03 appears 38 times

PE file contains executable resources (Code or Archives)

Source: ozvD4F8.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ozvD4F8.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: OnLine_Install_Dialog_UI_SSL.exe, 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs OnLine_Install_Dialog_UI_SSL.exe
Source: OnLine_Install_Dialog_UI_SSL.exe, 00000000.00000003.2441490591.0000000000885000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs OnLine_Install_Dialog_UI_SSL.exe
Source: OnLine_Install_Dialog_UI_SSL.exe	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs OnLine_Install_Dialog_UI_SSL.exe

Uses 32bit PE files

Source: OnLine_Install_Dialog_UI_SSL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ISSetup.dll.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSetup.dll.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isr4AC8.tmp.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSC3E7.tmp.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: isr4AC8.tmp.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: CloseOZWebLauncher.exe, 00000009.00000002.1740048299.0000000001610000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n_ip_tcpBS;.VBpp
Source: CloseOZWebLauncher.exe, 00000009.00000002.1740048299.0000000001610000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BS;.VBp

Source: classification engine

Classification label: sus28.evad.winEXE@55/135@0/1

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00447C87 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_00447C87

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_0041F883 _memset,lstrcpyW,lstrcatW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,

0_2_0041F883

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00446187 __EH_prolog3_GS,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,Process32NextW,OpenProcess,

0_2_00446187

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_004443E5 __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance,

0_2_004443E5

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00420149 __EH_prolog3_catch_GS,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

0_2_00420149

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

File created: C:\Program Files (x86)\InstallShield Installation Information\

Jump to behavior

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\97e828cd0105f5dc8974dc728e950457_9e146be9-c76a-4720-bcdb-53011b87bd06

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\E57AA2E7-1A7E-47FB-B362-ED04768595E6
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

File created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/q

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: @/L	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: EXE=%s	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: EXEProcessBegin	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: ISSetupInit	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: @/L	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: >YG	0_2_00475890
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: @/L	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: EXE=%s	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: EXEProcessBegin	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: ISSetupInit	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: @/L	0_2_00425FCC

Source: OnLine_Install_Dialog_UI_SSL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

File read: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.ini

Jump to behavior

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: setup.exe, 00000001.00000003.1660754567.0000000000835000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1660914820.0000000000835000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1660845452.0000000000835000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Select the language for the installation from the choices below.ue?;

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

File read: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe "C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe"
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Process created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe -package:"C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\" -tempdisk1folder:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\" -IS_OriginalLauncher:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E314697-D110-4002-B63C-61B432079D77}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1856CA6F-3A7F-472E-B337-2E3FA07FC85C}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F0A08E8-A0D1-45AD-AF2B-F10D703CD02A}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BAB69511-4FCB-4C17-80A3-43394505337C}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10BFDE1A-F312-4E1F-BEA2-24F4DCA4D57F}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54B59A05-F3F9-4E3A-8D72-1C938585C9B4}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe
Source: unknown	Process created: C:\Windows\System32\VSSVC.exe C:\Windows\system32\vssvc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s /uC:\Windows\ZTUACControl.dll
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s C:\Windows\ZTUACControl.dll
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.bat /s /v/q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s c:\Windows\ZTUACControl.dll
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Windows\SysWOW64\timeout.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe"
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe"
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Windows\SysWOW64\timeout.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Process created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe -package:"C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\" -tempdisk1folder:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\" -IS_OriginalLauncher:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E314697-D110-4002-B63C-61B432079D77}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1856CA6F-3A7F-472E-B337-2E3FA07FC85C}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F0A08E8-A0D1-45AD-AF2B-F10D703CD02A}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BAB69511-4FCB-4C17-80A3-43394505337C}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10BFDE1A-F312-4E1F-BEA2-24F4DCA4D57F}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54B59A05-F3F9-4E3A-8D72-1C938585C9B4}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/q	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s /uC:\Windows\ZTUACControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s C:\Windows\ZTUACControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.bat /s /v/q	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s c:\Windows\ZTUACControl.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe"
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe"

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: sxproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vss_ps.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: catsrvut.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: mfcsubs.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: swprv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: virtdisk.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: aclayers.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: sfc.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: msisip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: wshext.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: appxsip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: opcservices.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: esdsip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: d3d9.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: aclayers.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: sfc.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: msisip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: wshext.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: appxsip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: opcservices.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: esdsip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: d3d9.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: OZWLBridge.lnk.1.dr

LNK file: ..\..\..\..\..\..\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

File written: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\0x0409.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmp			Jump to behavior

Source: OnLine_Install_Dialog_UI_SSL.exe

Static PE information: certificate valid

Source: OnLine_Install_Dialog_UI_SSL.exe

Static file information: File size 11588408 > 1048576

Source: OnLine_Install_Dialog_UI_SSL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\Project_Test\CloseOZWebLauncher\Release\CloseOZWebLauncher.pdb source: CloseOZWebLauncher.exe, 00000009.00000000.1733726897.0000000001078000.00000002.00000001.01000000.0000000D.sdmp, CloseOZWebLauncher.exe, 00000009.00000002.1739712006.0000000001078000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLBridgeForUAC\Release\OZWLBridgeForUAC.pdb source: OZWD629.tmp.1.dr
Source:	Binary string: E:\Project_Test\CloseOZWebLauncher\Release\CloseOZWebLauncher.pdbP/ source: CloseOZWebLauncher.exe, 00000009.00000000.1733726897.0000000001078000.00000002.00000001.01000000.0000000D.sdmp, CloseOZWebLauncher.exe, 00000009.00000002.1739712006.0000000001078000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb source: OnLine_Install_Dialog_UI_SSL.exe, setup.exe0.0.dr
Source:	Binary string: C:\Users\sg0216986\Documents\Visual Studio 2010\Projects\Json4DotNet\System.Net.Json\obj\Release\System.Net.Json.pdb source: OZWebLauncher.exe, 00000021.00000002.2920008536.0000000007902000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLService\Release\OZWLService.pdb source: OZWLService.exe, 0000001E.00000000.2117884411.0000000000BF8000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: d:\OZSource80\OZTransferX\Transfer_Control\Release\ZTransferLib.pdbT4 source: ZTrD718.tmp.1.dr
Source:	Binary string: D:\Samsung_Fire\CloseOZWLBridge\Release\CloseOZWLBridge.pdbP/2 source: CloseOZWLBridge.exe, 00000008.00000002.1732889732.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp, CloseOZWLBridge.exe, 00000008.00000000.1731707763.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLBridgeForUAC\Release\OZWLBridgeForUAC.pdb\oW4 source: OZWD629.tmp.1.dr
Source:	Binary string: d:\OZSource80\OZTransferX\Transfer_Control\Release\ZTransferLib.pdb source: ZTrD718.tmp.1.dr
Source:	Binary string: d:\ozsource\misc\OZWebLauncher\OZWebLauncher\obj\x86\Release\OZWebLauncher.pdb source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000000.2126414035.0000000000BC2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\ozsource\misc\OZWebLauncher\WebSockets\obj\Release\WebSockets.pdb source: OZWebLauncherUtil.exe, 0000001F.00000002.2915164601.0000000004322000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_isres_0x0409.pdb source: _is4AD9.tmp.1.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: setup.exe, 00000001.00000003.1667559709.0000000000886000.00000004.00000020.00020000.00000000.sdmp, ISBEW64.exe, 00000002.00000002.2213567077.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000002.00000000.1686921318.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000003.00000002.1692670949.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000003.00000000.1687461278.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000004.00000002.1693203562.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000004.00000000.1687911327.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000005.00000002.1693902657.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000005.00000000.1689065493.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000006.00000002.1694512877.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000006.00000000.1693173144.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000007.00000000.1730363712.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000007.00000002.2210041589.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\Samsung_Fire\CloseOZWLBridge\Release\CloseOZWLBridge.pdb source: CloseOZWLBridge.exe, 00000008.00000002.1732889732.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp, CloseOZWLBridge.exe, 00000008.00000000.1731707763.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: d:\ozsource\misc\OZWebLauncher\OZWebLauncher\obj\x86\Release\OZWebLauncher.pdbls source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000000.2126414035.0000000000BC2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWebLauncherUtil\obj\x86\Release\OZWebLauncherUtil.pdb source: OZWebLauncherUtil.exe, 0000001F.00000000.2118514832.0000000000DC2000.00000002.00000001.01000000.00000012.sdmp, OZWD559.tmp.1.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_004443E5 __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance,

0_2_004443E5

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

PE file contains sections with non-standard names

Source: ZTU49AE.tmp.1.dr	Static PE information: section name: .orpc
Source: dot49BF.tmp.1.dr	Static PE information: section name: .boxld01
Source: ZTUD813.tmp.1.dr	Static PE information: section name: .orpc
Source: ZTUE4B7.tmp.1.dr	Static PE information: section name: .orpc

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s /uC:\Windows\ZTUACControl.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00466655 push ecx; ret	0_2_00466668
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045B864 push ecx; ret	0_2_0045B877
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002B1067 push ecx; ret	8_2_002B107A
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002B347D push ecx; ret	8_2_002B3490
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_01051067 push ecx; ret	9_2_0105107A
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_0105347D push ecx; ret	9_2_01053490

Source: isr4AC8.tmp.1.dr

Static PE information: section name: .text entropy: 7.983505264778397

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\717D6C878B0B3041D21EA17EADD7ADD47C44DF25 Blob

Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\ozverify.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	File created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dotNetFx_45.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dotnetinstaller.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTrD718.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTransferLib.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	File created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD5DA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD537.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\System.Net.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dot4A95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setup.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57A.tmp (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISB4A97.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZGetUserToken.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\WebD708.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD678.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_is4AD9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setC3A7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isr4AC8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_isres_0x0409.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\SysD707.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\Clo49EF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZGD4D8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSetup.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTU49AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD6D7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Windows\ZTUACControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSC3E7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD629.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUD813.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLNotify.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridgeForUAC.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dot49BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isrt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Windows\ZTUE4B7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUACControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD559.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\ozvD4F8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\Clo494E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	File created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Windows\ZTUE4B7.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Windows\ZTUACControl.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0041CAE7 __EH_prolog3_GS,GetPrivateProfileIntW,		0_2_0041CAE7
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0048A330 GetLastError,SetLastError,_memset,lstrcpyA,_memset,lstrcpyW,lstrlenA,_memset,lstrcpyA,lstrlenA,lstrlenA,_memmove,lstrcmpiA,GetLastError,SetLastError,_memmove,GetPrivateProfileIntA,_memset,lstrcpyA,GetPrivateProfileStringA,GetSysColor,_memset,_memset,GetPrivateProfileSectionNamesA,lstrcpyA,lstrcpyA,lstrlenA,lstrcpyA,GetPrivateProfileStringA,GetSysColor,GetLastError,SysFreeString,SysFreeString,SysFreeString,SetLastError,lstrcpyA,lstrlenA,lstrcmpA,lstrcpyA,GetPrivateProfileStringA,GetProcAddress,		0_2_0048A330

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\OZWLBridge.lnk

Jump to behavior

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Jump to behavior

Modifies existing windows services

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\OZWLBridge.lnk

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001F4209 IsWindowVisible,IsIconic,	8_2_001F4209
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CE403 IsIconic,PostMessageW,	8_2_001CE403
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001D4820 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	8_2_001D4820
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CC8A2 IsWindow,GetFocus,SendMessageW,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	8_2_001CC8A2
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_00225353 GetParent,GetParent,IsIconic,GetParent,	8_2_00225353
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CD5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	8_2_001CD5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CD5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	8_2_001CD5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CD5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	8_2_001CD5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CD5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	8_2_001CD5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CD8AD IsWindowVisible,ScreenToClient,IsIconic,PtInRect,PtInRect,PtInRect,	8_2_001CD8AD
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001B9CA5 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,	8_2_001B9CA5
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001DBD49 IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,GetWindowRect,GetParent,IsRectEmpty,EndDeferWindowPos,	8_2_001DBD49
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F94209 IsWindowVisible,IsIconic,	9_2_00F94209
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6E403 IsIconic,PostMessageW,	9_2_00F6E403
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6C8A2 IsWindow,GetFocus,SendMessageW,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	9_2_00F6C8A2
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F74820 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	9_2_00F74820
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FC5353 GetParent,GetParent,IsIconic,GetParent,	9_2_00FC5353
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6D5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	9_2_00F6D5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6D5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	9_2_00F6D5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6D5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	9_2_00F6D5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6D5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	9_2_00F6D5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6D8AD IsWindowVisible,ScreenToClient,IsIconic,PtInRect,PtInRect,PtInRect,	9_2_00F6D8AD
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F59CA5 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,	9_2_00F59CA5
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F7BD49 IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,GetWindowRect,GetParent,IsRectEmpty,EndDeferWindowPos,	9_2_00F7BD49

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe

Code function: 2_2_00007FF7D9437180 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00007FF7D9437180

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Memory allocated: 1C00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Memory allocated: 1D90000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Memory allocated: 3D90000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Memory allocated: 3020000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Memory allocated: 2E60000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe

Window / User API: threadDelayed 407

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isr4AC8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ozverify.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_isres_0x0409.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\SysD707.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSetup.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZGD4D8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTU49AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Windows\ZTUACControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dotNetFx_45.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSC3E7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dotnetinstaller.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTrD718.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD629.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTransferLib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUD813.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD5DA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLNotify.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridgeForUAC.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dot49BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isrt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\System.Net.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dot4A95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57A.tmp (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Windows\ZTUE4B7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUACControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZGetUserToken.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\WebD708.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD678.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ozvD4F8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_is4AD9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe (copy)	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	API coverage: 7.0 %
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	API coverage: 3.2 %
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	API coverage: 2.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\SrTasks.exe TID: 7732	Thread sleep time: -290000s >= -30000s
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe TID: 7136	Thread sleep count: 407 > 30
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe TID: 7136	Thread sleep time: -24420000s >= -30000s
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe TID: 2476	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe TID: 7040	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7216	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File Volume queried: C:\Windows FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00425659 __EH_prolog3_GS,FindFirstFileW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrcatW,SysStringLen,lstrcatW,GetFileAttributesW,lstrcatW,lstrcmpiW,lstrcpynW,lstrcmpiW,lstrcmpiW,SysStringLen,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,DeleteFileW,lstrcpyW,	0_2_00425659
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0042C966 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,	0_2_0042C966
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00451BC7 __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW,	0_2_00451BC7
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001F11F2 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	8_2_001F11F2
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F911F2 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	9_2_00F911F2

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_0041CF22 CreateFileW,CreateFileMappingW,GetSystemInfo,MapViewOfFile,IsBadReadPtr,UnmapViewOfFile,MapViewOfFile,IsBadReadPtr,GetLastError,

0_2_0041CF22

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Thread delayed: delay time: 60000
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\	Jump to behavior

Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachinealled
Source: setup.exe, 00000001.00000003.2228722617.0000000002831000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2230877414.0000000002848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine=%ld.
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachinez}
Source: svchost.exe, 0000000C.00000002.2908799857.0000021F17855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: setup.exe, 00000001.00000002.2439910239.0000000002925000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2232792483.000000000291E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine4
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2234140158.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2233259166.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0_GetVirtualMachineType
Source: setup.exe, 00000001.00000002.2439910239.0000000002925000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2210154643.0000000004B6D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2232792483.000000000291E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1667885797.0000000000881000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2440903656.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2210555594.0000000004B85000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2435960075.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _IsVirtualMachine
Source: svchost.exe, 00000022.00000002.2917929837.000002C553455000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.2912511691.000002C54DE2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: setup.exe, 00000001.00000003.2235951431.000000000088A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachineZ
Source: svchost.exe, 0000000C.00000003.1958674778.0000021F1786B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000C.00000002.2909107251.0000021F17859000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: setup.exe, 00000001.00000002.2439496440.0000000002747000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2435654784.0000000002740000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2436719585.0000000002746000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2435298859.0000000002735000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bIsVirtualMachine
Source: VSSVC.exe, 0000000B.00000003.2096500791.0000017AD17E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:J
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2910888541.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SrTasks.exe, 00000010.00000002.2243285813.000002848DDBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: svchost.exe, 0000000C.00000003.1958586697.0000021F17863000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2234140158.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2233259166.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0_IsVirtualMachine
Source: setup.exe, 00000001.00000003.2210154643.0000000004B6D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2440903656.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2210555594.0000000004B85000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2435960075.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _IsVirtualMachine3
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine=%ld
Source: setup.exe, 00000001.00000003.1667885797.0000000000881000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _GetVirtualMachineType
Source: VSSVC.exe, 0000000B.00000003.2096500791.0000017AD17E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:{
Source: SrTasks.exe, 00000010.00000003.2153538341.000002848DDBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:889w
Source: setup.exe, 00000001.00000002.2439910239.0000000002925000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2232792483.000000000291E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2228722617.0000000002831000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2235951431.000000000088A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2230877414.0000000002848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine
Source: setup.exe, 00000001.00000003.1667885797.0000000000881000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AddIconCallDLLFnComponentViewCreateWindowComponentViewDestroyComponentViewRefreshComponentViewSelectAllComponentViewSetInfoComponentViewSetInfoExCreateFolderDeleteFolderDeleteIconEnableHourGlassEnumFoldersItemsGetCPUTypeGetFontSubGetHandleGetPortsGetSelectedItemStateIsEmptyIsNTAdminIsOSTypeNTIsObjectIsPowerUserLangLoadStringMessageBeepPPathCompactPathPixelPathCrackUrlPathGetDirPathGetDrivePathGetFilePathGetFileExtPathGetFileNamePathGetLongFromShortPathGetPathPathIsValidSyntaxQueryIconReadArrayPropertyReadBoolPropertyReadNumberPropertyReplaceIconShowFolderTextSubSubstituteVerGetFileVersionWriteArrayPropertyWriteBoolPropertyWriteNumberPropertyWriteStringProperty_AppSearch_BrowseForFolder_CCPSearch_CHARArrayToWCHARArray_CalculateAndAddFileCost_CleanupInet_CloseFile_CmdGetHwndDlg_CmdGetMsg_CmdGetParam1_CmdGetParam2_CoGetObject_CompareDWORD_ComponentAddItem_ComponentCompareSizeRequired_ComponentError_ComponentErrorInfo_ComponentFileEnum_ComponentFileInfo_ComponentFilterLanguage_ComponentFilterOS_ComponentGetCost_ComponentGetCostEx_ComponentGetData_ComponentGetItemSize_ComponentGetTotalCost_ComponentGetTotalCostEx_ComponentInitialize_ComponentIsItemSelected_ComponentListItems_ComponentLoadTarget_ComponentMoveData_ComponentPatch_ComponentReinstall_ComponentRemoveAll_ComponentRemoveAllInLogOnly_ComponentSaveTarget_ComponentSelectItem_ComponentSelectNew_ComponentSetData_ComponentSetupTypeEnum_ComponentSetupTypeGetData_ComponentSetupTypeSet_ComponentTotalSize_ComponentTransferData_ComponentUpdate_ComponentValidate_ComponentViewCreate_ComponentViewQueryInfo_CopyBytes_CreateDir_CreateObject_CreateRegistrySet_CreateShellObjects_CtrlGetNotificationCode_CtrlGetParentWindowHelper_CtrlGetSubCommand_CtrlGetUrlForLinkClicked_CtrlSetHtmlContent_CtrlSetMLERichText_DIFxDriverPackageGetPath_DIFxDriverPackageInstall_DIFxDriverPackagePreinstall_DIFxDriverPackageUninstall_DefineDialog_DeleteCHARArray_DialogSetFont_DisableBranding_DisableStatus_Divide_DoInstall_DoSprintf_DotNetCoCreateObject_DotNetUnloadAppDomain_EnableDialogCache_EnablePrevDialog_EnableSkins_EnableStatus_EnableWow64FsRedirection_EndDialog_ExistsDir_ExistsDisk_ExistsFile_ExitInstall_FeatureAddCost_FeatureAddUninstallCost_FeatureGetCost_FeatureInitialize_FeatureSpendCost_FeatureSpendUninstallCost_FileCopy_FloatingPointOperation_GenerateFileMD5SignatureHex_GetByte_GetCurrentDialogName_GetDiskInfo_GetDiskSpaceEx_GetDiskSpaceExEx_GetFont_GetGlobalFlags_GetGlobalMemorySize_GetInetFileSize_GetInetFileTime_GetLine_GetLineSize_GetObject_GetObjectByIndex_GetObjectCount_GetProcessorInfo_GetRunningChildProcess_GetRunningChildProcessEx_GetRunningChildProcessEx2_GetSelectedTreeComponent_GetStandardLangId_GetSupportDir_GetSystemDpi_GetTrueTypeFontFileInfo_GetVirtualMachineType_InetEndofTransfer_InetGetLastError_InetGetNextDisk_InitInstall_IsFontTypefaceNameAvailable_IsInAdminGroup_IsLangSupported_IsSkinLoaded_IsVirtualMachine_IsWindowsME_IsWow64_KillProcesses_ListAddItem_ListAddString_ListCount_ListCreate_ListCurrentIte
Source: VSSVC.exe, 0000000B.00000002.2909812834.0000017AD17D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:{
Source: VSSVC.exe, 0000000B.00000002.2909812834.0000017AD17D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00464F6E _memset,IsDebuggerPresent,

0_2_00464F6E

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_0047A0BB EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_0047A0BB

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_004443E5 __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance,

0_2_004443E5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00430226 GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,_strlen,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,

0_2_00430226

Enables debug privileges

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004638C7 SetUnhandledExceptionFilter,	0_2_004638C7
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004638EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004638EA
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D943DCD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF7D943DCD4
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D94407D8 SetUnhandledExceptionFilter,	2_2_00007FF7D94407D8
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002B0383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_002B0383
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002B75BC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_002B75BC
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_01050383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_01050383
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_010575BC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_010575BC

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s c:\Windows\ZTUACControl.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Process created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\setup.exe -package:"c:\users\user\desktop\online_install_dialog_ui_ssl.exe" -no_selfdeleter -is_temp -media_path:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\disk1\" -tempdisk1folder:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\" -is_originallauncher:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\disk1\setup.exe"
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Process created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\setup.exe -package:"c:\users\user\desktop\online_install_dialog_ui_ssl.exe" -no_selfdeleter -is_temp -media_path:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\disk1\" -tempdisk1folder:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\" -is_originallauncher:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\disk1\setup.exe"			Jump to behavior

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_004448BB __EH_prolog3_GS,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,_memset,SetEntriesInAclW,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetTempPathW,

0_2_004448BB

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00450887 GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,

0_2_00450887

Source: setup.exe, 00000001.00000003.1659772558.00000000025C0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIES,
Source: ISSetup.dll.0.dr	Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: setup.exe, 00000001.00000003.2434948860.0000000000869000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2238976039.0000000000867000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2241930878.0000000000869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMAN
Source: setup.exe, 00000001.00000003.2434948860.0000000000869000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2238976039.0000000000867000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2241930878.0000000000869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMANes
Source: setup.exe, 00000001.00000003.2434948860.0000000000869000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2238976039.0000000000867000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2241930878.0000000000869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMAN;F

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_0046391A cpuid

0_2_0046391A

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	0_2_0046E1E0
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: EnumSystemLocalesW,	0_2_0046E450
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0047A437
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_0046E4AC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_0046E529
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	0_2_0046E5AC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,	0_2_004125AD
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: GetLocaleInfoW,	0_2_0046E79F
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0046E8C7
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_0046E974
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_0046EA48
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: EnumSystemLocalesW,	0_2_0046EF47
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: GetLocaleInfoW,	0_2_0046EFCD
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: __snwprintf_s,GetLocaleInfoW,PathFindFileNameW,_memset,GetModuleHandleW,GetProcAddress,LoadLibraryExW,	8_2_001B23CB
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: GetLocaleInfoA,	8_2_002C422B
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: __snwprintf_s,GetLocaleInfoW,PathFindFileNameW,_memset,GetModuleHandleW,GetProcAddress,LoadLibraryExW,	9_2_00F523CB
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: GetLocaleInfoA,	9_2_0106422B

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Queries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Queries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Classic\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.Classic.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\System.Net.Json.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_0043B52C __EH_prolog3_GS,GetCurrentProcessId,_memset,GetLocalTime,GetModuleFileNameW,

0_2_0043B52C

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00430174 GetVersionExW,

0_2_00430174

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004542BF __EH_prolog3_GS,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,CryptHashData,CryptSignHashW,CryptSignHashW,CryptSignHashW,GetLastError,GetLastError,WriteFile,WriteFile,WriteFile,	0_2_004542BF
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004546DD __EH_prolog3_GS,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,CryptHashData,CryptHashData,GetLastError,_memmove,GetLastError,CryptVerifySignatureW,	0_2_004546DD
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00454C59 CryptReleaseContext,	0_2_00454C59
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00454C91 CryptDestroyHash,	0_2_00454C91
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00454CAB CryptDestroyKey,	0_2_00454CAB
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00454DDC CryptExportKey,	0_2_00454DDC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045505F CryptGetHashParam,GetLastError,CryptGetHashParam,	0_2_0045505F
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045521D CryptHashData,	0_2_0045521D
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004552A9 CryptImportKey,	0_2_004552A9
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00455333 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,	0_2_00455333
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045564F CoCreateGuid,StringFromGUID2,_wcsncpy,CryptAcquireContextW,CryptCreateHash,	0_2_0045564F
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004559DE CryptGetHashParam,GetLastError,	0_2_004559DE
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004559E0 CryptGetHashParam,GetLastError,CryptSetHashParam,	0_2_004559E0
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00455A6D CryptAcquireContextW,CryptReleaseContext,CryptDestroyHash,	0_2_00455A6D
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00455DCC SetFilePointer,CryptSignHashW,GetLastError,CryptSignHashW,WriteFile,WriteFile,WriteFile,SetFilePointer,	0_2_00455DCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00455D9E CryptVerifySignatureW,GetLastError,	0_2_00455D9E

Uses 32bit PE files

Source: OnLine_Install_Dialog_UI_SSL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmp			Jump to behavior

Source: OnLine_Install_Dialog_UI_SSL.exe

Static PE information: certificate valid

Source:	Binary string: E:\Project_Test\CloseOZWebLauncher\Release\CloseOZWebLauncher.pdb source: CloseOZWebLauncher.exe, 00000009.00000000.1733726897.0000000001078000.00000002.00000001.01000000.0000000D.sdmp, CloseOZWebLauncher.exe, 00000009.00000002.1739712006.0000000001078000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLBridgeForUAC\Release\OZWLBridgeForUAC.pdb source: OZWD629.tmp.1.dr
Source:	Binary string: E:\Project_Test\CloseOZWebLauncher\Release\CloseOZWebLauncher.pdbP/ source: CloseOZWebLauncher.exe, 00000009.00000000.1733726897.0000000001078000.00000002.00000001.01000000.0000000D.sdmp, CloseOZWebLauncher.exe, 00000009.00000002.1739712006.0000000001078000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb source: OnLine_Install_Dialog_UI_SSL.exe, setup.exe0.0.dr
Source:	Binary string: C:\Users\sg0216986\Documents\Visual Studio 2010\Projects\Json4DotNet\System.Net.Json\obj\Release\System.Net.Json.pdb source: OZWebLauncher.exe, 00000021.00000002.2920008536.0000000007902000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLService\Release\OZWLService.pdb source: OZWLService.exe, 0000001E.00000000.2117884411.0000000000BF8000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: d:\OZSource80\OZTransferX\Transfer_Control\Release\ZTransferLib.pdbT4 source: ZTrD718.tmp.1.dr
Source:	Binary string: D:\Samsung_Fire\CloseOZWLBridge\Release\CloseOZWLBridge.pdbP/2 source: CloseOZWLBridge.exe, 00000008.00000002.1732889732.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp, CloseOZWLBridge.exe, 00000008.00000000.1731707763.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLBridgeForUAC\Release\OZWLBridgeForUAC.pdb\oW4 source: OZWD629.tmp.1.dr
Source:	Binary string: d:\OZSource80\OZTransferX\Transfer_Control\Release\ZTransferLib.pdb source: ZTrD718.tmp.1.dr
Source:	Binary string: d:\ozsource\misc\OZWebLauncher\OZWebLauncher\obj\x86\Release\OZWebLauncher.pdb source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000000.2126414035.0000000000BC2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\ozsource\misc\OZWebLauncher\WebSockets\obj\Release\WebSockets.pdb source: OZWebLauncherUtil.exe, 0000001F.00000002.2915164601.0000000004322000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_isres_0x0409.pdb source: _is4AD9.tmp.1.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: setup.exe, 00000001.00000003.1667559709.0000000000886000.00000004.00000020.00020000.00000000.sdmp, ISBEW64.exe, 00000002.00000002.2213567077.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000002.00000000.1686921318.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000003.00000002.1692670949.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000003.00000000.1687461278.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000004.00000002.1693203562.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000004.00000000.1687911327.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000005.00000002.1693902657.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000005.00000000.1689065493.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000006.00000002.1694512877.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000006.00000000.1693173144.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000007.00000000.1730363712.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000007.00000002.2210041589.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\Samsung_Fire\CloseOZWLBridge\Release\CloseOZWLBridge.pdb source: CloseOZWLBridge.exe, 00000008.00000002.1732889732.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp, CloseOZWLBridge.exe, 00000008.00000000.1731707763.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: d:\ozsource\misc\OZWebLauncher\OZWebLauncher\obj\x86\Release\OZWebLauncher.pdbls source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000000.2126414035.0000000000BC2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWebLauncherUtil\obj\x86\Release\OZWebLauncherUtil.pdb source: OZWebLauncherUtil.exe, 0000001F.00000000.2118514832.0000000000DC2000.00000002.00000001.01000000.00000012.sdmp, OZWD559.tmp.1.dr

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00425659 __EH_prolog3_GS,FindFirstFileW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrcatW,SysStringLen,lstrcatW,GetFileAttributesW,lstrcatW,lstrcmpiW,lstrcpynW,lstrcmpiW,lstrcmpiW,SysStringLen,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,DeleteFileW,lstrcpyW,	0_2_00425659
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0042C966 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,	0_2_0042C966
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00451BC7 __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW,	0_2_00451BC7
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001F11F2 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	8_2_001F11F2
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F911F2 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	9_2_00F911F2

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\	Jump to behavior

Source: OnLine_Install_Dialog_UI_SSL.exe, setup.exe0.0.dr	String found in binary or memory: http://=0x%04x.iniMS
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MainWindow.xamld
Source: setup.exe, 00000001.00000002.2438979471.000000000083E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2239128364.000000000083D000.00000004.00000020.00020000.00000000.sdmp, data1.hdr.0.dr	String found in binary or memory: http://deviis4.installshield.com/NetNirvana/
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000022.00000003.2136483818.000002C553618000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000022.00000003.2136483818.000002C55364D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000022.00000003.2136483818.000002C553691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/MainWindow.xaml
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.baml
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2913458137.0000000001D91000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/mainwindow.bamld
Source: ZTrD718.tmp.1.dr	String found in binary or memory: http://https://.././SOFTWARE
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://www.flexerasoftware.com0
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: OnLine_Install_Dialog_UI_SSL.exe, setup.ini.1.dr, setup.exe0.0.dr	String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: _is4AD9.tmp.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: OZWebLauncher.exe, 00000021.00000002.2920040513.0000000007952000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: setup.exe, 00000001.00000003.2234591613.000000000297A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2212449812.0000000002979000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2240388417.00000000029C5000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.000000000297A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.8T)
Source: _is4AD9.tmp.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: _is4AD9.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000022.00000003.2136483818.000002C553672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536A3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000022.00000003.2136483818.000002C5536F4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000022.00000003.2136483818.000002C5536E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: svchost.exe, 00000022.00000003.2136483818.000002C5536C2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000022.00000003.2136483818.000002C553672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2914468780.0000000003021000.00000004.00000800.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006510000.00000004.00000020.00020000.00000000.sdmp, OZWD559.tmp.1.dr, OZWD629.tmp.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe

Code function: 8_2_0021E34D GetClientRect,GetAsyncKeyState,SendMessageW,

8_2_0021E34D

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001C815B IsWindow,SendMessageW,GetCapture,SendMessageW,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	8_2_001C815B
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CC169 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	8_2_001CC169
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_00224794 GetWindowRect,KillTimer,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	8_2_00224794
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001C9526 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	8_2_001C9526
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_00219612 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageW,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowPos,SendMessageW,_memset,SendMessageW,GetParent,	8_2_00219612
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001F3A33 SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	8_2_001F3A33
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FDC1D1 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	9_2_00FDC1D1
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6C169 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	9_2_00F6C169
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6815B IsWindow,SendMessageW,GetCapture,SendMessageW,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	9_2_00F6815B
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FC4794 GetWindowRect,KillTimer,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	9_2_00FC4794
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F69526 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	9_2_00F69526
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FB9612 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageW,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowPos,SendMessageW,_memset,SendMessageW,GetParent,	9_2_00FB9612
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F93A33 SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	9_2_00F93A33

Drops certificate files (DER)

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\forD4C5.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\forcscert.pfx (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004552A9 CryptImportKey,		0_2_004552A9
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00455333 __EH_prolog3_GS,CreateFileW,ReadFile,CryptCreateHash,ReadFile,CryptHashData,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,ReadFile,CryptImportKey,GetLastError,GetLastError,		0_2_00455333

System Summary

PE file has a writeable .text section

Source: ISSetup.dll.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSetup.dll.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isr4AC8.tmp.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSC3E7.tmp.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00447C87 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_00447C87

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Windows\ZTUE4B7.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Windows\ZTUE4B7.tmp	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Deletes files inside the Windows folder

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

File deleted: C:\Windows\ZTUE4B7.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047C0B0	0_2_0047C0B0
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047022B	0_2_0047022B
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004685CF	0_2_004685CF
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047C619	0_2_0047C619
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0049CA69	0_2_0049CA69
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00490B40	0_2_00490B40
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047CB89	0_2_0047CB89
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047D4E8	0_2_0047D4E8
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047D8A7	0_2_0047D8A7
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004719F6	0_2_004719F6
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00475CA1	0_2_00475CA1
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0049DEC4	0_2_0049DEC4
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047E023	0_2_0047E023
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045E9CF	0_2_0045E9CF
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0044ECB8	0_2_0044ECB8
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045EEC3	0_2_0045EEC3
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00463190	0_2_00463190
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045F2DB	0_2_0045F2DB
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00493630	0_2_00493630
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045F710	0_2_0045F710
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045FB45	0_2_0045FB45
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0047FD1C	0_2_0047FD1C
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D9431AD0	2_2_00007FF7D9431AD0
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D9434230	2_2_00007FF7D9434230
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D943D308	2_2_00007FF7D943D308
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D94442FC	2_2_00007FF7D94442FC
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D943F11C	2_2_00007FF7D943F11C
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D9434E10	2_2_00007FF7D9434E10
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D943CC64	2_2_00007FF7D943CC64
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D943FCE4	2_2_00007FF7D943FCE4
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001BE9F4	8_2_001BE9F4
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002BEB98	8_2_002BEB98
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002B8D35	8_2_002B8D35
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_0021B161	8_2_0021B161
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002B1DB5	8_2_002B1DB5
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_00259FCF	8_2_00259FCF
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F5E9F4	9_2_00F5E9F4
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_0105EB98	9_2_0105EB98
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FDAA29	9_2_00FDAA29
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_01058D35	9_2_01058D35
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FBB161	9_2_00FBB161
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FD9BD7	9_2_00FD9BD7
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_01051DB5	9_2_01051DB5
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FF9FCF	9_2_00FF9FCF

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: String function: 01050F8F appears 289 times
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: String function: 01053438 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: String function: 002B0F8F appears 251 times
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: String function: 002B3438 appears 38 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 00423AD2 appears 41 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 0045B8C9 appears 297 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 00459F9F appears 77 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 0045B8FF appears 56 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 0045B896 appears 225 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 004091B8 appears 102 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 00466610 appears 42 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 00459FCD appears 56 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 0045A2FE appears 124 times
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: String function: 0041AE03 appears 38 times

PE file contains executable resources (Code or Archives)

Source: ozvD4F8.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ozvD4F8.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Sample file is different than original file name gathered from version info

Source: OnLine_Install_Dialog_UI_SSL.exe, 00000000.00000002.2441852535.0000000000519000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs OnLine_Install_Dialog_UI_SSL.exe
Source: OnLine_Install_Dialog_UI_SSL.exe, 00000000.00000003.2441490591.0000000000885000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs OnLine_Install_Dialog_UI_SSL.exe
Source: OnLine_Install_Dialog_UI_SSL.exe	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs OnLine_Install_Dialog_UI_SSL.exe

Uses 32bit PE files

Source: OnLine_Install_Dialog_UI_SSL.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ISSetup.dll.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSetup.dll.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isr4AC8.tmp.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSC3E7.tmp.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: isr4AC8.tmp.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: CloseOZWebLauncher.exe, 00000009.00000002.1740048299.0000000001610000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n_ip_tcpBS;.VBpp
Source: CloseOZWebLauncher.exe, 00000009.00000002.1740048299.0000000001610000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BS;.VBp

Source: classification engine

Classification label: sus28.evad.winEXE@55/135@0/1

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00447C87 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_00447C87

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_0041F883 _memset,lstrcpyW,lstrcatW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,

0_2_0041F883

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00446187 __EH_prolog3_GS,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,Process32NextW,OpenProcess,

0_2_00446187

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_004443E5 __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance,

0_2_004443E5

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00420149 __EH_prolog3_catch_GS,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

0_2_00420149

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

File created: C:\Program Files (x86)\InstallShield Installation Information\

Jump to behavior

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\97e828cd0105f5dc8974dc728e950457_9e146be9-c76a-4720-bcdb-53011b87bd06

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\E57AA2E7-1A7E-47FB-B362-ED04768595E6
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

File created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: @/L	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: EXE=%s	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: EXEProcessBegin	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: ISSetupInit	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: @/L	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: >YG	0_2_00475890
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: @/L	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: EXE=%s	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: EXEProcessBegin	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: ISSetupInit	0_2_00425FCC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Command line argument: @/L	0_2_00425FCC

Source: OnLine_Install_Dialog_UI_SSL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

File read: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.ini

Jump to behavior

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Binary or memory string: Select the language for the installation from the choices below.ue?;

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

File read: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe "C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe"
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Process created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe -package:"C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\" -tempdisk1folder:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\" -IS_OriginalLauncher:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exe"
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E314697-D110-4002-B63C-61B432079D77}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1856CA6F-3A7F-472E-B337-2E3FA07FC85C}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F0A08E8-A0D1-45AD-AF2B-F10D703CD02A}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BAB69511-4FCB-4C17-80A3-43394505337C}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10BFDE1A-F312-4E1F-BEA2-24F4DCA4D57F}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54B59A05-F3F9-4E3A-8D72-1C938585C9B4}
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe
Source: unknown	Process created: C:\Windows\System32\VSSVC.exe C:\Windows\system32\vssvc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k swprv
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s /uC:\Windows\ZTUACControl.dll
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s C:\Windows\ZTUACControl.dll
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.bat /s /v/q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s c:\Windows\ZTUACControl.dll
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Windows\SysWOW64\timeout.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe"
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe"
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Windows\SysWOW64\timeout.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Process created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe -package:"C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe" -no_selfdeleter -IS_temp -media_path:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\" -tempdisk1folder:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\" -IS_OriginalLauncher:"C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E314697-D110-4002-B63C-61B432079D77}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1856CA6F-3A7F-472E-B337-2E3FA07FC85C}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F0A08E8-A0D1-45AD-AF2B-F10D703CD02A}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BAB69511-4FCB-4C17-80A3-43394505337C}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10BFDE1A-F312-4E1F-BEA2-24F4DCA4D57F}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54B59A05-F3F9-4E3A-8D72-1C938585C9B4}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\addfirewall.bat /s /v/q	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s /uC:\Windows\ZTUACControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s C:\Windows\ZTUACControl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.bat /s /v/q	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s c:\Windows\ZTUACControl.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe"
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe"

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: sxproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: virtdisk.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: vss_ps.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: catsrvut.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: mfcsubs.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: swprv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: virtdisk.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\CheckNetIsolation.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: aclayers.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: sfc.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: msisip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: wshext.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: appxsip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: opcservices.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: esdsip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Section loaded: d3d9.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: aclayers.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: sfc.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: sfc_os.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: dwrite.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: msisip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: wshext.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: appxsip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: opcservices.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: esdsip.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: dpapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: d3d9.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: OZWLBridge.lnk.1.dr

LNK file: ..\..\..\..\..\..\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

File written: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\0x0409.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmp			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\ozcE786.tmp			Jump to behavior

Source: OnLine_Install_Dialog_UI_SSL.exe

Static PE information: certificate valid

Source: OnLine_Install_Dialog_UI_SSL.exe

Static file information: File size 11588408 > 1048576

Source: OnLine_Install_Dialog_UI_SSL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\Project_Test\CloseOZWebLauncher\Release\CloseOZWebLauncher.pdb source: CloseOZWebLauncher.exe, 00000009.00000000.1733726897.0000000001078000.00000002.00000001.01000000.0000000D.sdmp, CloseOZWebLauncher.exe, 00000009.00000002.1739712006.0000000001078000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLBridgeForUAC\Release\OZWLBridgeForUAC.pdb source: OZWD629.tmp.1.dr
Source:	Binary string: E:\Project_Test\CloseOZWebLauncher\Release\CloseOZWebLauncher.pdbP/ source: CloseOZWebLauncher.exe, 00000009.00000000.1733726897.0000000001078000.00000002.00000001.01000000.0000000D.sdmp, CloseOZWebLauncher.exe, 00000009.00000002.1739712006.0000000001078000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb source: OnLine_Install_Dialog_UI_SSL.exe, setup.exe0.0.dr
Source:	Binary string: C:\Users\sg0216986\Documents\Visual Studio 2010\Projects\Json4DotNet\System.Net.Json\obj\Release\System.Net.Json.pdb source: OZWebLauncher.exe, 00000021.00000002.2920008536.0000000007902000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLService\Release\OZWLService.pdb source: OZWLService.exe, 0000001E.00000000.2117884411.0000000000BF8000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: d:\OZSource80\OZTransferX\Transfer_Control\Release\ZTransferLib.pdbT4 source: ZTrD718.tmp.1.dr
Source:	Binary string: D:\Samsung_Fire\CloseOZWLBridge\Release\CloseOZWLBridge.pdbP/2 source: CloseOZWLBridge.exe, 00000008.00000002.1732889732.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp, CloseOZWLBridge.exe, 00000008.00000000.1731707763.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWLBridgeForUAC\Release\OZWLBridgeForUAC.pdb\oW4 source: OZWD629.tmp.1.dr
Source:	Binary string: d:\OZSource80\OZTransferX\Transfer_Control\Release\ZTransferLib.pdb source: ZTrD718.tmp.1.dr
Source:	Binary string: d:\ozsource\misc\OZWebLauncher\OZWebLauncher\obj\x86\Release\OZWebLauncher.pdb source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000000.2126414035.0000000000BC2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: d:\ozsource\misc\OZWebLauncher\WebSockets\obj\Release\WebSockets.pdb source: OZWebLauncherUtil.exe, 0000001F.00000002.2915164601.0000000004322000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_isres_0x0409.pdb source: _is4AD9.tmp.1.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: setup.exe, 00000001.00000003.1667559709.0000000000886000.00000004.00000020.00020000.00000000.sdmp, ISBEW64.exe, 00000002.00000002.2213567077.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000002.00000000.1686921318.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000003.00000002.1692670949.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000003.00000000.1687461278.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000004.00000002.1693203562.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000004.00000000.1687911327.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000005.00000002.1693902657.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000005.00000000.1689065493.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000006.00000002.1694512877.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000006.00000000.1693173144.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000007.00000000.1730363712.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000007.00000002.2210041589.00007FF7D9447000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: D:\Samsung_Fire\CloseOZWLBridge\Release\CloseOZWLBridge.pdb source: CloseOZWLBridge.exe, 00000008.00000002.1732889732.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp, CloseOZWLBridge.exe, 00000008.00000000.1731707763.00000000002D8000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: d:\ozsource\misc\OZWebLauncher\OZWebLauncher\obj\x86\Release\OZWebLauncher.pdbls source: OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000000.2126414035.0000000000BC2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\OZSOURCE80\misc\OZWebLauncher\OZWebLauncherUtil\obj\x86\Release\OZWebLauncherUtil.pdb source: OZWebLauncherUtil.exe, 0000001F.00000000.2118514832.0000000000DC2000.00000002.00000001.01000000.00000012.sdmp, OZWD559.tmp.1.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_004443E5 __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance,

0_2_004443E5

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

PE file contains sections with non-standard names

Source: ZTU49AE.tmp.1.dr	Static PE information: section name: .orpc
Source: dot49BF.tmp.1.dr	Static PE information: section name: .boxld01
Source: ZTUD813.tmp.1.dr	Static PE information: section name: .orpc
Source: ZTUE4B7.tmp.1.dr	Static PE information: section name: .orpc

Registers a DLL

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32 /s /uC:\Windows\ZTUACControl.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00466655 push ecx; ret	0_2_00466668
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0045B864 push ecx; ret	0_2_0045B877
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002B1067 push ecx; ret	8_2_002B107A
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002B347D push ecx; ret	8_2_002B3490
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_01051067 push ecx; ret	9_2_0105107A
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_0105347D push ecx; ret	9_2_01053490

Source: isr4AC8.tmp.1.dr

Static PE information: section name: .text entropy: 7.983505264778397

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\717D6C878B0B3041D21EA17EADD7ADD47C44DF25 Blob

Jump to behavior

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\ozverify.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	File created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dotNetFx_45.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dotnetinstaller.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTrD718.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTransferLib.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	File created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD5DA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD537.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\System.Net.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dot4A95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setup.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57A.tmp (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISB4A97.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZGetUserToken.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\WebD708.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD678.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_is4AD9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\setC3A7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isr4AC8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_isres_0x0409.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\SysD707.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\Clo49EF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZGD4D8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSetup.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTU49AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD6D7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Windows\ZTUACControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSC3E7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD629.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUD813.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLNotify.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridgeForUAC.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dot49BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isrt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Windows\ZTUE4B7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUACControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD559.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Program Files (x86)\FORCS\OZWebLauncher\ozvD4F8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\Clo494E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	File created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Windows\ZTUE4B7.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File created: C:\Windows\ZTUACControl.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0041CAE7 __EH_prolog3_GS,GetPrivateProfileIntW,		0_2_0041CAE7
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0048A330 GetLastError,SetLastError,_memset,lstrcpyA,_memset,lstrcpyW,lstrlenA,_memset,lstrcpyA,lstrlenA,lstrlenA,_memmove,lstrcmpiA,GetLastError,SetLastError,_memmove,GetPrivateProfileIntA,_memset,lstrcpyA,GetPrivateProfileStringA,GetSysColor,_memset,_memset,GetPrivateProfileSectionNamesA,lstrcpyA,lstrcpyA,lstrlenA,lstrcpyA,GetPrivateProfileStringA,GetSysColor,GetLastError,SysFreeString,SysFreeString,SysFreeString,SetLastError,lstrcpyA,lstrlenA,lstrcmpA,lstrcpyA,GetPrivateProfileStringA,GetProcAddress,		0_2_0048A330

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\OZWLBridge.lnk

Jump to behavior

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Jump to behavior

Modifies existing windows services

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\OZWLBridge.lnk

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001F4209 IsWindowVisible,IsIconic,	8_2_001F4209
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CE403 IsIconic,PostMessageW,	8_2_001CE403
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001D4820 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	8_2_001D4820
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CC8A2 IsWindow,GetFocus,SendMessageW,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	8_2_001CC8A2
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_00225353 GetParent,GetParent,IsIconic,GetParent,	8_2_00225353
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CD5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	8_2_001CD5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CD5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	8_2_001CD5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CD5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	8_2_001CD5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CD5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	8_2_001CD5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001CD8AD IsWindowVisible,ScreenToClient,IsIconic,PtInRect,PtInRect,PtInRect,	8_2_001CD8AD
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001B9CA5 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,	8_2_001B9CA5
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001DBD49 IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,GetWindowRect,GetParent,IsRectEmpty,EndDeferWindowPos,	8_2_001DBD49
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F94209 IsWindowVisible,IsIconic,	9_2_00F94209
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6E403 IsIconic,PostMessageW,	9_2_00F6E403
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6C8A2 IsWindow,GetFocus,SendMessageW,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	9_2_00F6C8A2
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F74820 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	9_2_00F74820
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00FC5353 GetParent,GetParent,IsIconic,GetParent,	9_2_00FC5353
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6D5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	9_2_00F6D5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6D5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	9_2_00F6D5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6D5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	9_2_00F6D5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6D5D9 IsIconic,IsIconic,GetWindowRect,IsIconic,OffsetRect,IsIconic,	9_2_00F6D5D9
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F6D8AD IsWindowVisible,ScreenToClient,IsIconic,PtInRect,PtInRect,PtInRect,	9_2_00F6D8AD
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F59CA5 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,	9_2_00F59CA5
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F7BD49 IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,GetWindowRect,GetParent,IsRectEmpty,EndDeferWindowPos,	9_2_00F7BD49

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe

2_2_00007FF7D9437180

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\VSSVC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\timeout.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Memory allocated: 1C00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Memory allocated: 1D90000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Memory allocated: 3D90000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Memory allocated: 12B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Memory allocated: 3020000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Memory allocated: 2E60000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe

Window / User API: threadDelayed 407

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isr4AC8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ozverify.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_isres_0x0409.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\SysD707.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSetup.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZGD4D8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTU49AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Windows\ZTUACControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dotNetFx_45.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ISSC3E7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dotnetinstaller.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTrD718.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD629.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTransferLib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUD813.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD5DA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLNotify.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridgeForUAC.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\dot49BF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\isrt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\System.Net.Json.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\dot4A95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD57A.tmp (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Windows\ZTUE4B7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ZTUACControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZGetUserToken.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\WebD708.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWD678.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\ozvD4F8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\_is4AD9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\ZTUACControl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLBridge.exe (copy)	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	API coverage: 7.0 %
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	API coverage: 3.2 %
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	API coverage: 2.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\SrTasks.exe TID: 7732	Thread sleep time: -290000s >= -30000s
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe TID: 7136	Thread sleep count: 407 > 30
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe TID: 7136	Thread sleep time: -24420000s >= -30000s
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe TID: 2476	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe TID: 7040	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7216	Thread sleep time: -30000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File Volume queried: C:\Windows FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00425659 __EH_prolog3_GS,FindFirstFileW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrcatW,SysStringLen,lstrcatW,GetFileAttributesW,lstrcatW,lstrcmpiW,lstrcpynW,lstrcmpiW,lstrcmpiW,SysStringLen,lstrcmpiW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,DeleteFileW,lstrcpyW,	0_2_00425659
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_0042C966 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,	0_2_0042C966
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_00451BC7 __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW,	0_2_00451BC7
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_001F11F2 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	8_2_001F11F2
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_00F911F2 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	9_2_00F911F2

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_0041CF22 CreateFileW,CreateFileMappingW,GetSystemInfo,MapViewOfFile,IsBadReadPtr,UnmapViewOfFile,MapViewOfFile,IsBadReadPtr,GetLastError,

0_2_0041CF22

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Thread delayed: delay time: 60000
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	File opened: C:\Users\user\	Jump to behavior

Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachinealled
Source: setup.exe, 00000001.00000003.2228722617.0000000002831000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2230877414.0000000002848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine=%ld.
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachinez}
Source: svchost.exe, 0000000C.00000002.2908799857.0000021F17855000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: setup.exe, 00000001.00000002.2439910239.0000000002925000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2232792483.000000000291E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine4
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2234140158.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2233259166.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0_GetVirtualMachineType
Source: setup.exe, 00000001.00000002.2439910239.0000000002925000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2210154643.0000000004B6D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2232792483.000000000291E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.1667885797.0000000000881000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2440903656.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2210555594.0000000004B85000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2435960075.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _IsVirtualMachine
Source: svchost.exe, 00000022.00000002.2917929837.000002C553455000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.2912511691.000002C54DE2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: setup.exe, 00000001.00000003.2235951431.000000000088A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachineZ
Source: svchost.exe, 0000000C.00000003.1958674778.0000021F1786B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000C.00000002.2909107251.0000021F17859000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: setup.exe, 00000001.00000002.2439496440.0000000002747000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2435654784.0000000002740000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2436719585.0000000002746000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2435298859.0000000002735000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bIsVirtualMachine
Source: VSSVC.exe, 0000000B.00000003.2096500791.0000017AD17E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:J
Source: OZWebLauncherUtil.exe, 0000001F.00000002.2910888541.00000000014ED000.00000004.00000020.00020000.00000000.sdmp, OZWebLauncher.exe, 00000021.00000002.2919340220.0000000006538000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SrTasks.exe, 00000010.00000002.2243285813.000002848DDBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: svchost.exe, 0000000C.00000003.1958586697.0000021F17863000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2234140158.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2233259166.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0_IsVirtualMachine
Source: setup.exe, 00000001.00000003.2210154643.0000000004B6D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000002.2440903656.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2210555594.0000000004B85000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2435960075.0000000004B8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _IsVirtualMachine3
Source: setup.exe, 00000001.00000003.2211000526.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2213093263.0000000002970000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2211990383.0000000002970000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine=%ld
Source: setup.exe, 00000001.00000003.1667885797.0000000000881000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _GetVirtualMachineType
Source: VSSVC.exe, 0000000B.00000003.2096500791.0000017AD17E7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:{
Source: SrTasks.exe, 00000010.00000003.2153538341.000002848DDBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:889w
Source: setup.exe, 00000001.00000002.2439910239.0000000002925000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2232792483.000000000291E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2228722617.0000000002831000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2235951431.000000000088A000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2230877414.0000000002848000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine
Source: setup.exe, 00000001.00000003.1667885797.0000000000881000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AddIconCallDLLFnComponentViewCreateWindowComponentViewDestroyComponentViewRefreshComponentViewSelectAllComponentViewSetInfoComponentViewSetInfoExCreateFolderDeleteFolderDeleteIconEnableHourGlassEnumFoldersItemsGetCPUTypeGetFontSubGetHandleGetPortsGetSelectedItemStateIsEmptyIsNTAdminIsOSTypeNTIsObjectIsPowerUserLangLoadStringMessageBeepPPathCompactPathPixelPathCrackUrlPathGetDirPathGetDrivePathGetFilePathGetFileExtPathGetFileNamePathGetLongFromShortPathGetPathPathIsValidSyntaxQueryIconReadArrayPropertyReadBoolPropertyReadNumberPropertyReplaceIconShowFolderTextSubSubstituteVerGetFileVersionWriteArrayPropertyWriteBoolPropertyWriteNumberPropertyWriteStringProperty_AppSearch_BrowseForFolder_CCPSearch_CHARArrayToWCHARArray_CalculateAndAddFileCost_CleanupInet_CloseFile_CmdGetHwndDlg_CmdGetMsg_CmdGetParam1_CmdGetParam2_CoGetObject_CompareDWORD_ComponentAddItem_ComponentCompareSizeRequired_ComponentError_ComponentErrorInfo_ComponentFileEnum_ComponentFileInfo_ComponentFilterLanguage_ComponentFilterOS_ComponentGetCost_ComponentGetCostEx_ComponentGetData_ComponentGetItemSize_ComponentGetTotalCost_ComponentGetTotalCostEx_ComponentInitialize_ComponentIsItemSelected_ComponentListItems_ComponentLoadTarget_ComponentMoveData_ComponentPatch_ComponentReinstall_ComponentRemoveAll_ComponentRemoveAllInLogOnly_ComponentSaveTarget_ComponentSelectItem_ComponentSelectNew_ComponentSetData_ComponentSetupTypeEnum_ComponentSetupTypeGetData_ComponentSetupTypeSet_ComponentTotalSize_ComponentTransferData_ComponentUpdate_ComponentValidate_ComponentViewCreate_ComponentViewQueryInfo_CopyBytes_CreateDir_CreateObject_CreateRegistrySet_CreateShellObjects_CtrlGetNotificationCode_CtrlGetParentWindowHelper_CtrlGetSubCommand_CtrlGetUrlForLinkClicked_CtrlSetHtmlContent_CtrlSetMLERichText_DIFxDriverPackageGetPath_DIFxDriverPackageInstall_DIFxDriverPackagePreinstall_DIFxDriverPackageUninstall_DefineDialog_DeleteCHARArray_DialogSetFont_DisableBranding_DisableStatus_Divide_DoInstall_DoSprintf_DotNetCoCreateObject_DotNetUnloadAppDomain_EnableDialogCache_EnablePrevDialog_EnableSkins_EnableStatus_EnableWow64FsRedirection_EndDialog_ExistsDir_ExistsDisk_ExistsFile_ExitInstall_FeatureAddCost_FeatureAddUninstallCost_FeatureGetCost_FeatureInitialize_FeatureSpendCost_FeatureSpendUninstallCost_FileCopy_FloatingPointOperation_GenerateFileMD5SignatureHex_GetByte_GetCurrentDialogName_GetDiskInfo_GetDiskSpaceEx_GetDiskSpaceExEx_GetFont_GetGlobalFlags_GetGlobalMemorySize_GetInetFileSize_GetInetFileTime_GetLine_GetLineSize_GetObject_GetObjectByIndex_GetObjectCount_GetProcessorInfo_GetRunningChildProcess_GetRunningChildProcessEx_GetRunningChildProcessEx2_GetSelectedTreeComponent_GetStandardLangId_GetSupportDir_GetSystemDpi_GetTrueTypeFontFileInfo_GetVirtualMachineType_InetEndofTransfer_InetGetLastError_InetGetNextDisk_InitInstall_IsFontTypefaceNameAvailable_IsInAdminGroup_IsLangSupported_IsSkinLoaded_IsVirtualMachine_IsWindowsME_IsWow64_KillProcesses_ListAddItem_ListAddString_ListCount_ListCreate_ListCurrentIte
Source: VSSVC.exe, 0000000B.00000002.2909812834.0000017AD17D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:{
Source: VSSVC.exe, 0000000B.00000002.2909812834.0000017AD17D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00464F6E _memset,IsDebuggerPresent,

0_2_00464F6E

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

0_2_0047A0BB

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_004443E5 __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance,

0_2_004443E5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00430226 GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,_strlen,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,

0_2_00430226

Enables debug privileges

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004638C7 SetUnhandledExceptionFilter,	0_2_004638C7
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: 0_2_004638EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004638EA
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D943DCD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF7D943DCD4
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\ISBEW64.exe	Code function: 2_2_00007FF7D94407D8 SetUnhandledExceptionFilter,	2_2_00007FF7D94407D8
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002B0383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_002B0383
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: 8_2_002B75BC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_002B75BC
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_01050383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_01050383
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: 9_2_010575BC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_010575BC

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe

Memory allocated: page read and write | page guard

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncher.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="OZWebLauncherUtilFireWall" dir=in program="C:\Program Files (x86)\Forcs\OZWebLauncher\OZWebLauncherUtil.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\CheckNetIsolation.exe CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 /s c:\Windows\ZTUACControl.dll
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWLService.exe	Process created: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe "C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Process created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\setup.exe -package:"c:\users\user\desktop\online_install_dialog_ui_ssl.exe" -no_selfdeleter -is_temp -media_path:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\disk1\" -tempdisk1folder:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\" -is_originallauncher:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\disk1\setup.exe"
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Process created: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\setup.exe -package:"c:\users\user\desktop\online_install_dialog_ui_ssl.exe" -no_selfdeleter -is_temp -media_path:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\disk1\" -tempdisk1folder:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\" -is_originallauncher:"c:\users\user\appdata\local\temp\{01d63416-83e7-40b7-ae24-d6a69aab6dca}\disk1\setup.exe"			Jump to behavior

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

0_2_004448BB

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

0_2_00450887

Source: setup.exe, 00000001.00000003.1659772558.00000000025C0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIES,
Source: ISSetup.dll.0.dr	Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: setup.exe, 00000001.00000003.2434948860.0000000000869000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2238976039.0000000000867000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2241930878.0000000000869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMAN
Source: setup.exe, 00000001.00000003.2434948860.0000000000869000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2238976039.0000000000867000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2241930878.0000000000869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMANes
Source: setup.exe, 00000001.00000003.2434948860.0000000000869000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2238976039.0000000000867000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000001.00000003.2241930878.0000000000869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMAN;F

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_0046391A cpuid

0_2_0046391A

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	0_2_0046E1E0
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: EnumSystemLocalesW,	0_2_0046E450
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0047A437
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_0046E4AC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	0_2_0046E529
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	0_2_0046E5AC
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,	0_2_004125AD
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: GetLocaleInfoW,	0_2_0046E79F
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0046E8C7
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	0_2_0046E974
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	0_2_0046EA48
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: EnumSystemLocalesW,	0_2_0046EF47
Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe	Code function: GetLocaleInfoW,	0_2_0046EFCD
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: __snwprintf_s,GetLocaleInfoW,PathFindFileNameW,_memset,GetModuleHandleW,GetProcAddress,LoadLibraryExW,	8_2_001B23CB
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWLBridge.exe	Code function: GetLocaleInfoA,	8_2_002C422B
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: __snwprintf_s,GetLocaleInfoW,PathFindFileNameW,_memset,GetModuleHandleW,GetProcAddress,LoadLibraryExW,	9_2_00F523CB
Source: C:\Users\user\AppData\Local\Temp\{FA31C5CE-E965-4705-8F4B-CC3E0950E560}\{E57AA2E7-1A7E-47FB-B362-ED04768595E6}\CloseOZWebLauncher.exe	Code function: GetLocaleInfoA,	9_2_0106422B

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\{01D63416-83E7-40B7-AE24-D6A69AAB6DCA}\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Queries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Queries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.Classic\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.Classic.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\WebSockets.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Program Files (x86)\FORCS\OZWebLauncher\System.Net.Json.dll VolumeInformation
Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_0043B52C __EH_prolog3_GS,GetCurrentProcessId,_memset,GetLocalTime,GetModuleFileNameW,

0_2_0043B52C

Source: C:\Users\user\Desktop\OnLine_Install_Dialog_UI_SSL.exe

Code function: 0_2_00430174 GetVersionExW,

0_2_00430174

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncherUtil.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Windows\SysWOW64\cmd.exe

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\FORCS\OZWebLauncher\OZWebLauncher.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

ID:	1432289
Product:	CloudBasic
Start time:	19:31:05
Start date:	26.04.2024
Sample:	OnLine_Install_Dialog_UI_SSL.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	74db9f552ccae0af3640851c6960f079
SHA1:	44cc1e1e974e90982146719efd496c9721465a4a
SHA256:	c5494d160a1b3cdff381623216bdcc8aef9fc5a18565fd1a679a4e2eb8a7c056
Filetype:	Win32 Executable (generic) a (10002005/4) 95.94%

Windows Analysis Report
OnLine_Install_Dialog_UI_SSL.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report OnLine_Install_Dialog_UI_SSL.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
OnLine_Install_Dialog_UI_SSL.exe