Windows Analysis Report
HABICO116N_2024-04-26_16_58_38.139.zip

Overview

General Information

Sample name:	HABICO116N_2024-04-26_16_58_38.139.zip
Analysis ID:	1432290
MD5:	bf6013620744516862c7e1c8b0d661f4
SHA1:	d7100e037f52e2544762678668855129c570ed4f
SHA256:	d1eeaa34979a2fb23e94fbcb608a19af38690551e3c6db3790a55c11d8e701ed
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Changes security center settings (notifications, updates, antivirus, firewall)

Creates files in alternative data streams (ADS)

Creates files in the system32 config directory

Found direct / indirect Syscall (likely to bypass EDR)

Installs new ROOT certificates

Overwrites Mozilla Firefox settings

Queries disk data (e.g. SMART data)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Tries to harvest and steal browser information (history, passwords, etc)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables driver privileges

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Spawns drivers

Classification

Signatures

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw:z2fzaw5z
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\unins000.dat
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JM0P7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QJ10O.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-AIIPN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LK6MP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JNP9A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-GS9C6.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-0U1PU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-46BQS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-3HLCR.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-4828T.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-UNS0G.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EP3EK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RQIEJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-4BMCK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EOEQ4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HB8HP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-V4FD9.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7NOH4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-A4G7I.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-CD182.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LS2RM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DMHK4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-G54TJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-1OSP7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S5H0H.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PREND.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TL64V.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FLHH1.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-761MJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-4JF0M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DJ7QD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PGQV8.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FAMCK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-46HPO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-K8UEM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-M3NNI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KS05A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PQ4GA.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EN56H.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2F7HQ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SELNG.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-M4GM5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7N3QM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-1299M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-919DS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-H1A10.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S0KNU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KOOUU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-0MV76.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-NMSAK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-F5AV1.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-F3DLB.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HV2M7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SSPGO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-AGO4M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-H8NKL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-MPT1M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-UJ7L5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7TIHM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7EU8J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RAB4C.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SRETI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HFR2O.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DUU0T.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-L4JD0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-517JO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-8438K.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-NG6HC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-19RUB.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-T585E.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-A3J84.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KDOHO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-610F5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2OJ4D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RDFPT.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-243TO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TS8A4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-OP56C.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P50AP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-I85L4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PRSE3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7V354.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9KKRG.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-175RL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FTTDO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TB7UC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2MC0P.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RFLP3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JAPFR.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-Q6IJT.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7GP3D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P3DP5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SF2F5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-H2KBE.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7PA03.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-V2BBJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DI3QD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JAUEN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HBD7J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TUF46.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9POKC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QNGBI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-E4NUM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-D8QQL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SB1JP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2G5JK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FMBU4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-B7FAP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KNR3D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BH3SO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HQTIK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-G4AKA.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-69J1V.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-F090J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-61PSV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-D55QV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-VOV28.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-B3OT0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-0VCHS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LSJ6G.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P2IB0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BI5Q3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S3S2M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-UCIJQ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-C26N7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-3NU1J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QLOJM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-O735A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-J9SHO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SGQL5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BTL0H.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-1IJSL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BETPD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KM4QE.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KJRLU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-R6OEI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-CK4LU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2LNO6.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-ISCLI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PH93P.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9V2J4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-VF293.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P7A57.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-T08P3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HAU0N.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2HSS0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-GA6EL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-91AV8.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-44GIE.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S9VJJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-GQHVJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-J5PQV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-8V501.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-C7O6K.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-8P99Q.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BRS51.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TIL59.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-OLVVS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7V331.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-ACRA5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-OI81U.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LCHU2.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-MPU51.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DG9B3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-ICFPN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EG0JV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-3BFDH.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-A46SK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-L47KC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LEC8A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-NOFUA.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9Q97G.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QIHTM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-L8OLS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LPAT3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2A08E.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-81M5D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\unins000.msg
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw:oyhagmu138iahnc
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\opt
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\msvcp120.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\msvcr120.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\wsaxbco.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\local.data
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw:bmh6Lm9wemo
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\ws.datr
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\autoconf_warsaw.js
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\ws.dat

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{20E60725-16C8-4FB9-8BC2-AF92C5F8D06D}_is1

Source: unknown	HTTPS traffic detected: 13.32.87.91:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.64.174.114:443 -> 192.168.2.16:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: dn.gastecnologia.com.br
Source: global traffic	DNS traffic detected: DNS query: cloud.gastecnologia.com.br
Source: global traffic	DNS traffic detected: DNS query: cef.dnofd.com

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 13.32.87.91:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.64.174.114:443 -> 192.168.2.16:49706 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File created: C:\ProgramData\Temp\cert_temp\cert2.cer	Jump to dropped file
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File created: C:\ProgramData\Temp\_cd\8709caecdc1b32d6decf74ca8a4fd123.wtcf	Jump to dropped file
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File created: C:\ProgramData\Temp\_cd\88561e6508a6a0d226eac047f2994a11.wtcf	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-VGUV7.tmp	Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AF0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AF0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AE0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AE0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AD0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AD0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AC0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AC0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AB0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AB0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AA0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AA0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A90000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A90000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A80000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A80000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A70000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A70000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A60000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A60000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A50000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A50000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A40000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A40000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A30000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A30000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A20000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A20000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A10000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A10000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A00000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A00000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AF0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AF0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AE0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AE0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AD0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AD0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AC0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AC0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AB0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AB0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AA0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AA0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A90000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A90000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A80000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A80000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A70000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A70000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A60000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A60000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A50000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A50000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A40000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A40000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A30000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A30000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A20000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A20000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A10000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A10000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A00000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A00000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AF0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AF0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AE0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AE0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AD0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AD0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AC0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AC0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AB0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AB0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AA0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AA0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A90000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A90000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A80000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A80000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A70000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A70000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A60000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A60000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A50000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A50000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A40000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A40000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A30000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A30000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A20000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A20000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A10000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A10000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A00000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A00000 page execute and read and write

Creates files inside the driver directory

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

File created: C:\Windows\system32\drivers\is-RQ3BD.tmp

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Programs
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Programs\Common
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\SysWOW64\config\systemprofile\Saved Games
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\system32\drivers\is-RQ3BD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\system32\drivers\is-QRBJL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\system32\drivers\is-NNSG7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\system32\drivers\is-VGUV7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\system32\drivers\is-DAPBJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\system32\drivers\is-O3BFN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Fonts\is-01DD9.tmp
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Topaz OFD
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Topaz OFD\Warsaw

Deletes files inside the Windows folder

Source: C:\ProgramData\Temp\gbpcefwr64.exe

File deleted: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Enables driver privileges

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe

Process token adjusted: Load Driver

Spawns drivers

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe

Driver loaded: \registry\machine\SYSTEM\CurrentControlSet\Services\warsaw_injector

Source: classification engine

Classification label: mal88.phis.spyw.evad.winZIP@80/336@3/19

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

File created: C:\Program Files\Topaz OFD

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1920:120:WilError_03
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\mchMixCache$11d7a18$1bbc
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000614, API $75730bd0
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\WS_NBCE4DBB1
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\mchMixCache$11d7a18$18a8
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00001bbc, API $757316c0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Mutex, mAH, Process $000018a8, API $7572f3a0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2092:120:WilError_03
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\mchMixCache$11d7a18$614
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00001bbc, API $71ac0000
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Mutex, mAH, Process $000018a8, API $75730bd0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_03
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Mutex, mAH, Process $000018a8, API $71ac0000
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00001bbc, API $75731620
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000614, API $75731620
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Global\HDA_SYNC_TASK_MUTEX_
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4332:120:WilError_03
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Mutant created: \BaseNamedObjects\Global\WS_N39B5D60D
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\HDA_INSTANCE_CONTROL_user_1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3724:120:WilError_03
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000614, API $757316c0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Mutex, mAH, Process $000018a8, API $75731620
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\wdm203r328905694
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\HDA_INSTANCE_CONTROL_user_0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000614, API $71ac0000
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\WS_N1D1A924E
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00001bbc, API $75730bd0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000614, API $7572f3a0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00001bbc, API $7572f3a0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Mutex, mAH, Process $000018a8, API $757316c0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Global\HDA_INSTANCE_CONTROL_SYSTEM_1

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

File created: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\Instala o do M dulo Adicional de Seguran a CAIXA.log

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\TEMP\is-5L66I.tmp\check_core.bat

Source: C:\ProgramData\Temp\gbpcefwr64.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE ExecutablePath like 'C:\\Program Files\\Topaz OFD\\%'
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE ExecutablePath like 'C:\\Program Files\\Topaz OFD\\Warsaw\\%'
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE ExecutablePath like 'C:\\Program Files (x86)\\Topaz OFD\\Warsaw\\%'
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'CORE.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'CORE.EXE'
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe "C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139C:\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe"
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process created: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe "C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139C:\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe" admin_service
Source: unknown	Process created: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe "C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139C:\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe" service_service
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process created: C:\ProgramData\Temp\gbpcefwr64.exe C:\ProgramData\Temp\gbpcefwr64.exe /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel /accepteula /log="C:\ProgramData\Temp\wslog.dat"
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Process created: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp "C:\Windows\TEMP\is-T0PV4.tmp\gbpcefwr64.tmp" /SL5="$303CE,28710489,832512,C:\ProgramData\Temp\gbpcefwr64.exe" /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel /accepteula /log="C:\ProgramData\Temp\wslog.dat"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\get_version.exe "C:\Windows\TEMP\is-5L66I.tmp\get_version.exe" "C:\Program Files\Topaz OFD\Warsaw\features.dat" "C:\Windows\TEMP\is-5L66I.tmp\version.txt"
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\get_version.exe "C:\Windows\TEMP\is-5L66I.tmp\get_version.exe" "C:\Windows\system32\config\systemprofile\AppData\Local\Topaz OFD\Warsaw\features.dat" "C:\Windows\TEMP\is-5L66I.tmp\version.txt"
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\%'" DELETE
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files (x86)\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files (x86)\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp helper 105 0x604
Source: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe "C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe "C:\Windows\TEMP\is-5L66I.tmp\corefixer.exe" /nocert
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process created: C:\ProgramData\Temp\gbpcefwr64.exe C:\ProgramData\Temp\gbpcefwr64.exe /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel /accepteula /log="C:\ProgramData\Temp\wslog.dat"
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Process created: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp "C:\Windows\TEMP\is-T0PV4.tmp\gbpcefwr64.tmp" /SL5="$303CE,28710489,832512,C:\ProgramData\Temp\gbpcefwr64.exe" /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel /accepteula /log="C:\ProgramData\Temp\wslog.dat"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Program Files\Topaz OFD\Warsaw\core.exe "C:\Program Files\Topaz OFD\Warsaw\core.exe" --install-service
Source: unknown	Process created: C:\Program Files\Topaz OFD\Warsaw\core.exe "C:\Program Files\Topaz OFD\Warsaw\core.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\sc.exe "sc.exe" start "Warsaw Technology"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\TEMP\is-5L66I.tmp\check_core.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "imagename eq core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /C "core.exe"
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process created: C:\Program Files\Topaz OFD\Warsaw\core.exe C:\Program Files\Topaz OFD\Warsaw\core.exe
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\get_version.exe "C:\Windows\TEMP\is-5L66I.tmp\get_version.exe" "C:\Program Files\Topaz OFD\Warsaw\features.dat" "C:\Windows\TEMP\is-5L66I.tmp\version.txt"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\get_version.exe "C:\Windows\TEMP\is-5L66I.tmp\get_version.exe" "C:\Windows\system32\config\systemprofile\AppData\Local\Topaz OFD\Warsaw\features.dat" "C:\Windows\TEMP\is-5L66I.tmp\version.txt"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\%'" DELETE
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files (x86)\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp helper 105 0x604
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\TEMP\is-5L66I.tmp\check_core.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "imagename eq core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /C "core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files (x86)\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process created: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe "C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe "C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe "C:\Windows\TEMP\is-5L66I.tmp\corefixer.exe" /nocert
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Program Files\Topaz OFD\Warsaw\core.exe "C:\Program Files\Topaz OFD\Warsaw\core.exe" --install-service
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\sc.exe "sc.exe" start "Warsaw Technology"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\TEMP\is-5L66I.tmp\check_core.bat
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\TEMP\is-5L66I.tmp\check_core.bat
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process created: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe "C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe"
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process created: C:\Program Files\Topaz OFD\Warsaw\core.exe C:\Program Files\Topaz OFD\Warsaw\core.exe
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process created: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe "C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "imagename eq core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /C "core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "imagename eq core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /C "core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /?
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process created: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe "C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe"

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usosvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: updatepolicy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usocoreps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usoapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: credui.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: pcacli.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: mscms.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: firewallapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: fwbase.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: credui.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: credui.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: firewallapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: fwbase.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Section loaded: version.dll
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: mpr.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: version.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: netapi32.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: winhttp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: netutils.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wtsapi32.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: winsta.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: textinputframework.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: coreuicomponents.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wintypes.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wintypes.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wintypes.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wldp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: profapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: shfolder.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: apphelp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: textshaping.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wbemcomn.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: sxs.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: napinsp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wshbth.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: mswsock.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: winrnr.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: amsi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: userenv.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: napinsp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wshbth.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: winrnr.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: dwmapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: napinsp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wshbth.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: winrnr.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: sspicli.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: explorerframe.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: sfc.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: sfc_os.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: dwrite.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: firewallapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: fwbase.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: firewallapi.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: fwbase.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: userenv.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wldp.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: userenv.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wldp.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: version.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wsock32.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: firewallapi.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: fwbase.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: fltlib.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wininet.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: winsta.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: profapi.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: dpapi.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: userenv.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wtsapi32.dll

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /?

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Window found: window name: TMainForm

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw:z2fzaw5z
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\unins000.dat
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JM0P7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QJ10O.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-AIIPN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LK6MP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JNP9A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-GS9C6.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-0U1PU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-46BQS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-3HLCR.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-4828T.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-UNS0G.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EP3EK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RQIEJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-4BMCK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EOEQ4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HB8HP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-V4FD9.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7NOH4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-A4G7I.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-CD182.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LS2RM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DMHK4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-G54TJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-1OSP7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S5H0H.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PREND.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TL64V.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FLHH1.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-761MJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-4JF0M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DJ7QD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PGQV8.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FAMCK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-46HPO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-K8UEM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-M3NNI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KS05A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PQ4GA.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EN56H.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2F7HQ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SELNG.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-M4GM5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7N3QM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-1299M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-919DS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-H1A10.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S0KNU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KOOUU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-0MV76.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-NMSAK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-F5AV1.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-F3DLB.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HV2M7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SSPGO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-AGO4M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-H8NKL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-MPT1M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-UJ7L5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7TIHM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7EU8J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RAB4C.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SRETI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HFR2O.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DUU0T.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-L4JD0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-517JO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-8438K.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-NG6HC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-19RUB.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-T585E.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-A3J84.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KDOHO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-610F5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2OJ4D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RDFPT.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-243TO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TS8A4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-OP56C.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P50AP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-I85L4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PRSE3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7V354.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9KKRG.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-175RL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FTTDO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TB7UC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2MC0P.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RFLP3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JAPFR.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-Q6IJT.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7GP3D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P3DP5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SF2F5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-H2KBE.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7PA03.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-V2BBJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DI3QD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JAUEN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HBD7J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TUF46.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9POKC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QNGBI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-E4NUM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-D8QQL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SB1JP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2G5JK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FMBU4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-B7FAP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KNR3D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BH3SO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HQTIK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-G4AKA.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-69J1V.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-F090J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-61PSV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-D55QV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-VOV28.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-B3OT0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-0VCHS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LSJ6G.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P2IB0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BI5Q3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S3S2M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-UCIJQ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-C26N7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-3NU1J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QLOJM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-O735A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-J9SHO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SGQL5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BTL0H.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-1IJSL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BETPD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KM4QE.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KJRLU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-R6OEI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-CK4LU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2LNO6.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-ISCLI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PH93P.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9V2J4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-VF293.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P7A57.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-T08P3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HAU0N.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2HSS0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-GA6EL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-91AV8.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-44GIE.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S9VJJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-GQHVJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-J5PQV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-8V501.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-C7O6K.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-8P99Q.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BRS51.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TIL59.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-OLVVS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7V331.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-ACRA5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-OI81U.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LCHU2.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-MPU51.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DG9B3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-ICFPN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EG0JV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-3BFDH.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-A46SK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-L47KC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LEC8A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-NOFUA.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9Q97G.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QIHTM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-L8OLS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LPAT3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2A08E.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-81M5D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\unins000.msg
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw:oyhagmu138iahnc
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\opt
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\msvcp120.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\msvcr120.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\wsaxbco.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\local.data
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw:bmh6Lm9wemo
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\ws.datr
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\autoconf_warsaw.js
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\ws.dat

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{20E60725-16C8-4FB9-8BC2-AF92C5F8D06D}_is1

Source: HABICO116N_2024-04-26_16_58_38.139.zip

Static file information: File size 3903480 > 1048576

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Topaz OFD
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Topaz OFD\Warsaw

Installs new ROOT certificates

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\869616C6F29BFF379B12001B54D9CC3898D08759 Blob
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\869616C6F29BFF379B12001B54D9CC3898D08759 Blob
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\869616C6F29BFF379B12001B54D9CC3898D08759 Blob
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\869616C6F29BFF379B12001B54D9CC3898D08759 Blob

Drops PE files

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-69J1V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-C7O6K.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-4JF0M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-NG6HC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-UCIJQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-PGMJ9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-DMHK4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-9T1MH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-8P6T2.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-9V2J4.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Program Files\Topaz OFD\Warsaw\msvcr120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-V78PE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-V2BBJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-NQ6ER.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Program Files\Topaz OFD\Warsaw\msvcp120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-M3NNI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-RFLP3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-S0KNU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-CD182.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-LK6MP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-UJ7L5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-FVT0H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-9MEU6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-OVEKC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-K5OLE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-QRBJL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-U3JD8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-EP3EK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-81M5D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-243TO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-LH7AK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-5Q6CC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-GQHVJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-KNS80.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-PCK64.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-610F5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5L4LQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-S1AQH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-J35ES.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-G4AKA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-HFR2O.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-44GIE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GBV4Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-TIL59.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-P3DP5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-F54EF.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-SUDDL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GTJ3V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-1299M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-GS9C6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-HN243.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-3HHPB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-A3DG0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-VSNQB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-QLOJM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-AIIPN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GQLAS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7V331.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-ACRA5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7JJPM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-MED3Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-I05AI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-3HLCR.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-OI81U.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-DDQS8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-NHJKQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-LEC8A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7GP3D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-SNI07.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-S5H0H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-OD80C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-A6RUS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-V4FD9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-VF293.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\msvcr120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-UB020.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-J6E0V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-H2KBE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-F3DLB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-1D0ID.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-LS2RM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-ARARM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-SB1JP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-S8JMT.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-HQTIK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-PEVQJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-VDCES.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-6GDPM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-4N8P9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-QPS0A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-8D5J6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-KNACJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2A08E.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2G5JK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-PRSE3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-JAUEN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-Q6BO0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-3BFDH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-HLK4M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-BH3SO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-L4JD0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-JQ9T3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-8HES7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-ICFPN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-F0IEN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-KS05A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-A46SK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-M4GM5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-919DS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-P7A57.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-J3TRQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-I859F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-A3J84.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-E743S.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-DUU0T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-HB8HP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-245ML.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-8V501.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-UNS0G.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-517JO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-BRS51.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-9KKRG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-3NU1J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-QNGBI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7PGAC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-OJ526.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-4UJCA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-LRJJ4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7TIHM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-PJLAC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-D8QQL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-NMSAK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-RNJ8M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-PH93P.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-B7FAP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-NJRSC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-T9BJK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-257GR.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-FMBU4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-JAPFR.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-9BRTU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-Q6IJT.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-PTTR1.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-I85L4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-DC0KH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2F7HQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GSI34.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-H8NKL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-RQIEJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-46HPO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-47H94.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-VOV28.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-U4KRV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7BSLN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-KDOHO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-OLVVS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7NOH4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-TS8A4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-F237R.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-761MJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-KNR3D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-LPAT3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-EOEQ4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-PQ4GA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-H1A10.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-79IGP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-TUF46.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-O3BFN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7IO91.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-9POKC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2MC0P.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-LSJ6G.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-RAB4C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-ISCLI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-DI3QD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-0N7L2.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-T585E.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-S9VJJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-A1JBC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-L47KC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-EC67U.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-RP4UP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-5NMFO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-DG9B3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-NNSG7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-A4G7I.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-9AID7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-SSPGO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-1OSP7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-SELNG.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File created: C:\ProgramData\Temp\_cd\c054fe2fb26941c1a6cca23251b6efc3.wtcf	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-H8KK3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7PA03.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-FAMCK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-261PJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-NS7KP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-AEBSU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-0MV76.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-19RUB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-4TV0M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-PREND.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-O6F2S.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-SF2F5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-C26N7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-8438K.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-ST47B.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-F5AV1.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-R6OEI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-MRJTF.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-O55NU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-4BMCK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-00JJP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-FTTDO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-EN56H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-NOFUA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2HSS0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-J422F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-S3S2M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-C4DKQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-91AV8.tmp	Jump to dropped file
Source: C:\ProgramData\Temp\gbpcefwr64.exe	File created: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-DDUV9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-SRETI.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\msvcp120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7EU8J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-TL64V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2OJ4D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-QTR63.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-B3OT0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-7037H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2LNO6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-VJTAG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-L8OLS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-HAU0N.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-KH558.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-EG0JV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-46BQS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-0U1PU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-RDFPT.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-K8UEM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-I9PHC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-GV6UC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-FLHH1.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-175RL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-RQ3BD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-TB7UC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-T08P3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-2R39D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-31L3I.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-0PT5M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-AGO4M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-EBS3T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-9VM8C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-E4NUM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-2KIRS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-NONPG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-Q260F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-4828T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-KOOUU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-N40L8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-RSD7C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-MPT1M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-9Q97G.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-E76FA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-ICBSJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-OP56C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-D55QV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-61PSV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-3BN84.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-HV2M7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-MPU51.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5N7BM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7V354.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-J5PQV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-1UP2T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-CK4LU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-69B7M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-DJ7QD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-G54TJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-PGQV8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-8GD0B.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-QJ10O.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-8P99Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-FIL7C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5V3FO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-JNP9A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-0VCHS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-HBD7J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-F090J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-HENGA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-P2IB0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7N3QM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-BI5Q3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5ERA9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-P50AP.tmp	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

File created: C:\ProgramData\Temp\_cd\c054fe2fb26941c1a6cca23251b6efc3.wtcf

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-OD80C.tmp	Jump to dropped file
Source: C:\ProgramData\Temp\gbpcefwr64.exe	File created: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-PGMJ9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-A6RUS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-8P6T2.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-UB020.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-V78PE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-47H94.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-NQ6ER.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7BSLN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-QTR63.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-FVT0H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-9MEU6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-79IGP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-O3BFN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-I9PHC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7IO91.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-GV6UC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-QRBJL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-U3JD8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-RQ3BD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-4N8P9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-LH7AK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-QPS0A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-5Q6CC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-8D5J6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-31L3I.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-0PT5M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-0N7L2.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-KNS80.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-Q6BO0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-2KIRS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-NONPG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-A1JBC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-EC67U.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-RP4UP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-5NMFO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-NNSG7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-N40L8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-PCK64.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-RSD7C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-F0IEN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-S1AQH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-E76FA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-J3TRQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-I859F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-H8KK3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-ICBSJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-261PJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-NS7KP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-245ML.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-1UP2T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-69B7M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7PGAC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-4TV0M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-OJ526.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-4UJCA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-PJLAC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-3HHPB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-8GD0B.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-RNJ8M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-VSNQB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-MED3Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7JJPM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-I05AI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-9BRTU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

File created: C:\ProgramData\Temp\_cd\c054fe2fb26941c1a6cca23251b6efc3.wtcf

Jump to dropped file

Creates or modifies windows services

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\warsaw_injector

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Process created: C:\Windows\System32\sc.exe "sc.exe" start "Warsaw Technology"

Hooking and other Techniques for Hiding and Protection

Creates files in alternative data streams (ADS)

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

File created: C:\Program Files\Topaz OFD\Warsaw:z2fzaw5z

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	RDTSC instruction interceptor: First address: 7FFF268AFB2D second address: 7FFF268AFB32 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 rol cl, 1 0x00000005 rdtsc
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	RDTSC instruction interceptor: First address: 7FFF268CF505 second address: 7FFF267C3251 instructions: 0x00000000 rdtsc 0x00000002 cmp esp, 27F7099Fh 0x00000008 popfd 0x00000009 setle dl 0x0000000c dec eax 0x0000000d cdq 0x0000000e jmp 00007F6E1CA0AFB7h 0x00000013 inc ecx 0x00000014 pop eax 0x00000015 inc bp 0x00000017 cmovs ebp, ebx 0x0000001a rdtsc
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	RDTSC instruction interceptor: First address: 7FFF268CF505 second address: 7FFF267C3251 instructions: 0x00000000 rdtsc 0x00000002 cmp esp, 27F7099Fh 0x00000008 popfd 0x00000009 setle dl 0x0000000c dec eax 0x0000000d cdq 0x0000000e jmp 00007F6E1C4EEDC7h 0x00000013 inc ecx 0x00000014 pop eax 0x00000015 inc bp 0x00000017 cmovs ebp, ebx 0x0000001a rdtsc
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	RDTSC instruction interceptor: First address: 7FFF268CF505 second address: 7FFF267C3251 instructions: 0x00000000 rdtsc 0x00000002 cmp esp, 27F7099Fh 0x00000008 popfd 0x00000009 setle dl 0x0000000c dec eax 0x0000000d cdq 0x0000000e jmp 00007F6E1CF86867h 0x00000013 inc ecx 0x00000014 pop eax 0x00000015 inc bp 0x00000017 cmovs ebp, ebx 0x0000001a rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe

Special instruction interceptor: First address: 7FFF268E5B3F instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe	File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-69J1V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-C7O6K.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-NG6HC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-4JF0M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-PGMJ9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-DMHK4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-9T1MH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-8P6T2.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-9V2J4.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\msvcr120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-V78PE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-V2BBJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-NQ6ER.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\msvcp120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-M3NNI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-RFLP3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-S0KNU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-CD182.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-LK6MP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-UJ7L5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-FVT0H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-9MEU6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-OVEKC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-K5OLE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\System32\drivers\is-QRBJL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-U3JD8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-EP3EK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-81M5D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-243TO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-LH7AK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-5Q6CC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-GQHVJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-KNS80.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-PCK64.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5L4LQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-610F5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-S1AQH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-J35ES.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-HFR2O.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-G4AKA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-44GIE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GBV4Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-TIL59.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-P3DP5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-F54EF.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GTJ3V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-SUDDL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-1299M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-GS9C6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-HN243.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-A3DG0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-3HHPB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-VSNQB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-QLOJM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-AIIPN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GQLAS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7V331.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-ACRA5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-I05AI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-MED3Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-7JJPM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-3HLCR.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-OI81U.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-DDQS8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-NHJKQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-LEC8A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7GP3D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-SNI07.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-S5H0H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-OD80C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-V4FD9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-A6RUS.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\msvcr120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-VF293.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-UB020.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-J6E0V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-H2KBE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-F3DLB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-1D0ID.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-LS2RM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-ARARM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-SB1JP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-S8JMT.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-PEVQJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-HQTIK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-VDCES.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-6GDPM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-4N8P9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-QPS0A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-8D5J6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-KNACJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2A08E.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2G5JK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-PRSE3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-JAUEN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-Q6BO0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-3BFDH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-HLK4M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-L4JD0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-BH3SO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-JQ9T3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-8HES7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-ICFPN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-F0IEN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-KS05A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-A46SK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-919DS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-M4GM5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-P7A57.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-J3TRQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-I859F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-E743S.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-A3J84.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-DUU0T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-HB8HP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-245ML.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-8V501.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-517JO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-UNS0G.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-BRS51.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-9KKRG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-7PGAC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-QNGBI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-3NU1J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-OJ526.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-LRJJ4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7TIHM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-4UJCA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-D8QQL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-NMSAK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-PJLAC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-RNJ8M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-PH93P.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-B7FAP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-NJRSC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-T9BJK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-257GR.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-FMBU4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-JAPFR.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-Q6IJT.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-9BRTU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-PTTR1.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-I85L4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-DC0KH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2F7HQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GSI34.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-H8NKL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-RQIEJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-46HPO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-47H94.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-VOV28.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-U4KRV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-7BSLN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-KDOHO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-OLVVS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7NOH4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-TS8A4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-F237R.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-761MJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-KNR3D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-EOEQ4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-H1A10.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-PQ4GA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-TUF46.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-79IGP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\System32\drivers\is-O3BFN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-7IO91.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-9POKC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-RAB4C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-LSJ6G.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2MC0P.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-ISCLI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-0N7L2.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-DI3QD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-T585E.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-S9VJJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-A1JBC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-L47KC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-RP4UP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-EC67U.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-5NMFO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\System32\drivers\is-NNSG7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-DG9B3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-A4G7I.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-9AID7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-SSPGO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-SELNG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-1OSP7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-H8KK3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7PA03.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-FAMCK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-261PJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-AEBSU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-NS7KP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-0MV76.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-19RUB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-PREND.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-4TV0M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-O6F2S.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-8438K.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-C26N7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-SF2F5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-ST47B.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-F5AV1.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-R6OEI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-MRJTF.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-O55NU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-4BMCK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-00JJP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-FTTDO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-EN56H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-NOFUA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2HSS0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-J422F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-S3S2M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-C4DKQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-91AV8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-DDUV9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-SRETI.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\msvcp120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7EU8J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-TL64V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2OJ4D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-QTR63.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-B3OT0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-7037H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2LNO6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-VJTAG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-L8OLS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-HAU0N.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-KH558.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-EG0JV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-46BQS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-0U1PU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-K8UEM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-RDFPT.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-FLHH1.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-I9PHC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-GV6UC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-175RL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\System32\drivers\is-RQ3BD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-TB7UC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-T08P3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-2R39D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-0PT5M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-AGO4M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-EBS3T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-9VM8C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-E4NUM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-2KIRS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-NONPG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-KOOUU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-4828T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-Q260F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-N40L8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-RSD7C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-MPT1M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-9Q97G.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-E76FA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-ICBSJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-OP56C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-D55QV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-61PSV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-3BN84.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-HV2M7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-MPU51.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5N7BM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7V354.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-J5PQV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-1UP2T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-CK4LU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-69B7M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-DJ7QD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-G54TJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-PGQV8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-8GD0B.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-QJ10O.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-8P99Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5V3FO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-FIL7C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-JNP9A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-0VCHS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-HBD7J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-F090J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-HENGA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-P2IB0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7N3QM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5ERA9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-BI5Q3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-P50AP.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6208	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp TID: 2900	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp TID: 2900	Thread sleep time: -36000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process queried: DebugPort
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process queried: DebugObjectHandle
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process queried: DebugPort
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process queried: DebugObjectHandle

Enables debug privileges

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process token adjusted: Debug
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process token adjusted: Debug
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	NtQuerySystemInformation: Indirect: 0x7FFF268E5B8F
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	NtLoadDriver: Indirect: 0x7FFF28509446
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	NtQueryInformationProcess: Indirect: 0x7FFF268E5B63
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	NtQuerySystemInformation: Indirect: 0x7FFF268E5B84
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	NtQuerySystemInformation: Indirect: 0x7FFF268E5BA5

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process created: C:\ProgramData\Temp\gbpcefwr64.exe C:\ProgramData\Temp\gbpcefwr64.exe /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel /accepteula /log="C:\ProgramData\Temp\wslog.dat"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp helper 105 0x604
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files (x86)\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "imagename eq core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /C "core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "imagename eq core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /C "core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /?

Queries the product ID of Windows

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw\wslbmid.dll VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw\wslbmid.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Overwrites Mozilla Firefox settings

Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Queries disk data (e.g. SMART data)

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe

Device IO: \Device\Harddisk0\DR0

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\pkcs11.txt
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Local\Packages\Mozilla.Firefox_n80bbvh6b1yt2\LocalCache\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert8.db
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db

Screenshots

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.32.87.91	dn.gastecnologia.com.br	United States	16509	AMAZON-02US	false
18.64.174.114	d89qlgit85ox9.cloudfront.net	United States	3	MIT-GATEWAYSUS	false
23.204.76.112	unknown	United States	20940	AKAMAI-ASN1EU	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
cef.dnofd.com	18.239.225.30	true
dn.gastecnologia.com.br	13.32.87.91	true
d89qlgit85ox9.cloudfront.net	18.64.174.114	true
cloud.gastecnologia.com.br	unknown	unknown

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw:z2fzaw5z
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\unins000.dat
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JM0P7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QJ10O.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-AIIPN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LK6MP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JNP9A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-GS9C6.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-0U1PU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-46BQS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-3HLCR.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-4828T.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-UNS0G.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EP3EK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RQIEJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-4BMCK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EOEQ4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HB8HP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-V4FD9.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7NOH4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-A4G7I.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-CD182.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LS2RM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DMHK4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-G54TJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-1OSP7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S5H0H.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PREND.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TL64V.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FLHH1.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-761MJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-4JF0M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DJ7QD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PGQV8.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FAMCK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-46HPO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-K8UEM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-M3NNI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KS05A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PQ4GA.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EN56H.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2F7HQ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SELNG.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-M4GM5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7N3QM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-1299M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-919DS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-H1A10.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S0KNU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KOOUU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-0MV76.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-NMSAK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-F5AV1.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-F3DLB.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HV2M7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SSPGO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-AGO4M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-H8NKL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-MPT1M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-UJ7L5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7TIHM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7EU8J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RAB4C.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SRETI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HFR2O.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DUU0T.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-L4JD0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-517JO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-8438K.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-NG6HC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-19RUB.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-T585E.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-A3J84.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KDOHO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-610F5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2OJ4D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RDFPT.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-243TO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TS8A4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-OP56C.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P50AP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-I85L4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PRSE3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7V354.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9KKRG.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-175RL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FTTDO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TB7UC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2MC0P.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RFLP3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JAPFR.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-Q6IJT.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7GP3D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P3DP5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SF2F5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-H2KBE.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7PA03.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-V2BBJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DI3QD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JAUEN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HBD7J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TUF46.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9POKC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QNGBI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-E4NUM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-D8QQL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SB1JP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2G5JK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FMBU4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-B7FAP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KNR3D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BH3SO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HQTIK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-G4AKA.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-69J1V.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-F090J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-61PSV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-D55QV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-VOV28.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-B3OT0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-0VCHS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LSJ6G.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P2IB0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BI5Q3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S3S2M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-UCIJQ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-C26N7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-3NU1J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QLOJM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-O735A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-J9SHO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SGQL5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BTL0H.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-1IJSL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BETPD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KM4QE.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KJRLU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-R6OEI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-CK4LU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2LNO6.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-ISCLI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PH93P.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9V2J4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-VF293.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P7A57.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-T08P3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HAU0N.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2HSS0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-GA6EL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-91AV8.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-44GIE.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S9VJJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-GQHVJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-J5PQV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-8V501.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-C7O6K.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-8P99Q.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BRS51.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TIL59.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-OLVVS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7V331.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-ACRA5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-OI81U.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LCHU2.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-MPU51.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DG9B3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-ICFPN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EG0JV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-3BFDH.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-A46SK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-L47KC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LEC8A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-NOFUA.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9Q97G.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QIHTM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-L8OLS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LPAT3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2A08E.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-81M5D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\unins000.msg
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw:oyhagmu138iahnc
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\opt
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\msvcp120.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\msvcr120.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\wsaxbco.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\local.data
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw:bmh6Lm9wemo
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\ws.datr
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\autoconf_warsaw.js
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\ws.dat

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{20E60725-16C8-4FB9-8BC2-AF92C5F8D06D}_is1

Source: unknown	HTTPS traffic detected: 13.32.87.91:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.64.174.114:443 -> 192.168.2.16:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: dn.gastecnologia.com.br
Source: global traffic	DNS traffic detected: DNS query: cloud.gastecnologia.com.br
Source: global traffic	DNS traffic detected: DNS query: cef.dnofd.com

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 13.32.87.91:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 18.64.174.114:443 -> 192.168.2.16:49706 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File created: C:\ProgramData\Temp\cert_temp\cert2.cer	Jump to dropped file
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File created: C:\ProgramData\Temp\_cd\8709caecdc1b32d6decf74ca8a4fd123.wtcf	Jump to dropped file
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File created: C:\ProgramData\Temp\_cd\88561e6508a6a0d226eac047f2994a11.wtcf	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-VGUV7.tmp	Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AF0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AF0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AE0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AE0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AD0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AD0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AC0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AC0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AB0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AB0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AA0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AA0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A90000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A90000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A80000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A80000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A70000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A70000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A60000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A60000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A50000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A50000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A40000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A40000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A30000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A30000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A20000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A20000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A10000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A10000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A00000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A00000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AF0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AF0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AE0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AE0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AD0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AD0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AC0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AC0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AB0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AB0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AA0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AA0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A90000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A90000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A80000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A80000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A70000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A70000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A60000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A60000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A50000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A50000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A40000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A40000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A30000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A30000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A20000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A20000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A10000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A10000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A00000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A00000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AF0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AF0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AE0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AE0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AD0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AD0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AC0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AC0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AB0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AB0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AA0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71AA0000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A90000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A90000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A80000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A80000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A70000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A70000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A60000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A60000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A50000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A50000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A40000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A40000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A30000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A30000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A20000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A20000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A10000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A10000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A00000 page execute and read and write
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Memory allocated: 71A00000 page execute and read and write

Creates files inside the driver directory

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

File created: C:\Windows\system32\drivers\is-RQ3BD.tmp

Creates files inside the system directory

Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Programs
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Programs\Common
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\SysWOW64\config\systemprofile\Saved Games
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\system32\drivers\is-RQ3BD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\system32\drivers\is-QRBJL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\system32\drivers\is-NNSG7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\system32\drivers\is-VGUV7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\system32\drivers\is-DAPBJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\system32\drivers\is-O3BFN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Fonts\is-01DD9.tmp
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Topaz OFD
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Topaz OFD\Warsaw

Deletes files inside the Windows folder

Source: C:\ProgramData\Temp\gbpcefwr64.exe

File deleted: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Enables driver privileges

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe

Process token adjusted: Load Driver

Spawns drivers

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe

Driver loaded: \registry\machine\SYSTEM\CurrentControlSet\Services\warsaw_injector

Source: classification engine

Classification label: mal88.phis.spyw.evad.winZIP@80/336@3/19

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

File created: C:\Program Files\Topaz OFD

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1920:120:WilError_03
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\mchMixCache$11d7a18$1bbc
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000614, API $75730bd0
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\WS_NBCE4DBB1
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\mchMixCache$11d7a18$18a8
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00001bbc, API $757316c0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Mutex, mAH, Process $000018a8, API $7572f3a0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2092:120:WilError_03
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\mchMixCache$11d7a18$614
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00001bbc, API $71ac0000
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Mutex, mAH, Process $000018a8, API $75730bd0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_03
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Mutex, mAH, Process $000018a8, API $71ac0000
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00001bbc, API $75731620
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000614, API $75731620
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_03
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Global\HDA_SYNC_TASK_MUTEX_
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4332:120:WilError_03
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Mutant created: \BaseNamedObjects\Global\WS_N39B5D60D
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\HDA_INSTANCE_CONTROL_user_1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3724:120:WilError_03
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000614, API $757316c0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Mutex, mAH, Process $000018a8, API $75731620
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\wdm203r328905694
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\HDA_INSTANCE_CONTROL_user_0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000614, API $71ac0000
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\WS_N1D1A924E
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00001bbc, API $75730bd0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00000614, API $7572f3a0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \Sessions\1\BaseNamedObjects\Mutex, mAH, Process $00001bbc, API $7572f3a0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Mutex, mAH, Process $000018a8, API $757316c0
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Mutant created: \BaseNamedObjects\Global\HDA_INSTANCE_CONTROL_SYSTEM_1

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\TEMP\is-5L66I.tmp\check_core.bat

Source: C:\ProgramData\Temp\gbpcefwr64.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE ExecutablePath like 'C:\\Program Files\\Topaz OFD\\%'
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE ExecutablePath like 'C:\\Program Files\\Topaz OFD\\Warsaw\\%'
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Process WHERE ExecutablePath like 'C:\\Program Files (x86)\\Topaz OFD\\Warsaw\\%'
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'CORE.EXE'
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE Caption = 'CORE.EXE'
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT ProcessId, Name, Description, ExecutablePath FROM Win32_Process WHERE Name LIKE "%firefox.exe"

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe "C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139C:\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe"
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process created: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe "C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139C:\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe" admin_service
Source: unknown	Process created: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe "C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139C:\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe" service_service
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process created: C:\ProgramData\Temp\gbpcefwr64.exe C:\ProgramData\Temp\gbpcefwr64.exe /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel /accepteula /log="C:\ProgramData\Temp\wslog.dat"
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Process created: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp "C:\Windows\TEMP\is-T0PV4.tmp\gbpcefwr64.tmp" /SL5="$303CE,28710489,832512,C:\ProgramData\Temp\gbpcefwr64.exe" /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel /accepteula /log="C:\ProgramData\Temp\wslog.dat"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\get_version.exe "C:\Windows\TEMP\is-5L66I.tmp\get_version.exe" "C:\Program Files\Topaz OFD\Warsaw\features.dat" "C:\Windows\TEMP\is-5L66I.tmp\version.txt"
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\get_version.exe "C:\Windows\TEMP\is-5L66I.tmp\get_version.exe" "C:\Windows\system32\config\systemprofile\AppData\Local\Topaz OFD\Warsaw\features.dat" "C:\Windows\TEMP\is-5L66I.tmp\version.txt"
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\%'" DELETE
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files (x86)\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files (x86)\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp helper 105 0x604
Source: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe "C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe "C:\Windows\TEMP\is-5L66I.tmp\corefixer.exe" /nocert
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process created: C:\ProgramData\Temp\gbpcefwr64.exe C:\ProgramData\Temp\gbpcefwr64.exe /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel /accepteula /log="C:\ProgramData\Temp\wslog.dat"
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Process created: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp "C:\Windows\TEMP\is-T0PV4.tmp\gbpcefwr64.tmp" /SL5="$303CE,28710489,832512,C:\ProgramData\Temp\gbpcefwr64.exe" /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel /accepteula /log="C:\ProgramData\Temp\wslog.dat"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Program Files\Topaz OFD\Warsaw\core.exe "C:\Program Files\Topaz OFD\Warsaw\core.exe" --install-service
Source: unknown	Process created: C:\Program Files\Topaz OFD\Warsaw\core.exe "C:\Program Files\Topaz OFD\Warsaw\core.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\sc.exe "sc.exe" start "Warsaw Technology"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\TEMP\is-5L66I.tmp\check_core.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "imagename eq core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /C "core.exe"
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process created: C:\Program Files\Topaz OFD\Warsaw\core.exe C:\Program Files\Topaz OFD\Warsaw\core.exe
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\get_version.exe "C:\Windows\TEMP\is-5L66I.tmp\get_version.exe" "C:\Program Files\Topaz OFD\Warsaw\features.dat" "C:\Windows\TEMP\is-5L66I.tmp\version.txt"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\get_version.exe "C:\Windows\TEMP\is-5L66I.tmp\get_version.exe" "C:\Windows\system32\config\systemprofile\AppData\Local\Topaz OFD\Warsaw\features.dat" "C:\Windows\TEMP\is-5L66I.tmp\version.txt"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\%'" DELETE
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files (x86)\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp helper 105 0x604
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\TEMP\is-5L66I.tmp\check_core.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "imagename eq core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /C "core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files (x86)\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process created: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe "C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe "C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe "C:\Windows\TEMP\is-5L66I.tmp\corefixer.exe" /nocert
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Program Files\Topaz OFD\Warsaw\core.exe "C:\Program Files\Topaz OFD\Warsaw\core.exe" --install-service
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\sc.exe "sc.exe" start "Warsaw Technology"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\TEMP\is-5L66I.tmp\check_core.bat
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\TEMP\is-5L66I.tmp\check_core.bat
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process created: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe "C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe"
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process created: C:\Program Files\Topaz OFD\Warsaw\core.exe C:\Program Files\Topaz OFD\Warsaw\core.exe
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process created: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe "C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "imagename eq core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /C "core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "imagename eq core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /C "core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /?
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process created: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe "C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe"

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usosvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: updatepolicy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usocoreps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usoapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: credui.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: pcacli.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: mscms.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: firewallapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: fwbase.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: winhttp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: winnsi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: schannel.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: credui.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: credui.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: msimg32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: firewallapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: fwbase.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Section loaded: version.dll
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Section loaded: netutils.dll
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: mpr.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: version.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: netapi32.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: winhttp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: netutils.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wtsapi32.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: winsta.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: textinputframework.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: coreuicomponents.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: coremessaging.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wintypes.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wintypes.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wintypes.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: windows.storage.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wldp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: profapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: shfolder.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: apphelp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: textshaping.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wbemcomn.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: sxs.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: napinsp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wshbth.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: mswsock.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: winrnr.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: rasadhlp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: amsi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: userenv.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: napinsp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wshbth.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: winrnr.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: dwmapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: napinsp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: pnrpnsp.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: wshbth.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: nlaapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: winrnr.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: fwpuclnt.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: sspicli.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: explorerframe.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: sfc.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: sfc_os.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: dwrite.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: firewallapi.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: fwbase.dll
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\wstlcup.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: apphelp.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: firewallapi.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: fwbase.dll
Source: C:\Windows\Temp\is-5L66I.tmp\corefixer.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: userenv.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wldp.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: userenv.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: msvcp140.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: vcruntime140_1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: windows.storage.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wldp.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: version.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wsock32.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: firewallapi.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: fwbase.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: fltlib.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wininet.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: winsta.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: profapi.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: winhttp.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: dpapi.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: userenv.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Section loaded: wtsapi32.dll

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\tasklist.exe tasklist /?

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Window found: window name: TMainForm

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw:z2fzaw5z
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\unins000.dat
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JM0P7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QJ10O.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-AIIPN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LK6MP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JNP9A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-GS9C6.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-0U1PU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-46BQS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-3HLCR.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-4828T.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-UNS0G.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EP3EK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RQIEJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-4BMCK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EOEQ4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HB8HP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-V4FD9.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7NOH4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-A4G7I.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-CD182.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LS2RM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DMHK4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-G54TJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-1OSP7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S5H0H.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PREND.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TL64V.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FLHH1.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-761MJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-4JF0M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DJ7QD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PGQV8.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FAMCK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-46HPO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-K8UEM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-M3NNI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KS05A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PQ4GA.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EN56H.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2F7HQ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SELNG.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-M4GM5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7N3QM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-1299M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-919DS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-H1A10.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S0KNU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KOOUU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-0MV76.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-NMSAK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-F5AV1.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-F3DLB.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HV2M7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SSPGO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-AGO4M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-H8NKL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-MPT1M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-UJ7L5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7TIHM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7EU8J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RAB4C.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SRETI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HFR2O.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DUU0T.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-L4JD0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-517JO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-8438K.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-NG6HC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-19RUB.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-T585E.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-A3J84.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KDOHO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-610F5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2OJ4D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RDFPT.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-243TO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TS8A4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-OP56C.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P50AP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-I85L4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PRSE3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7V354.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9KKRG.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-175RL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FTTDO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TB7UC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2MC0P.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-RFLP3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JAPFR.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-Q6IJT.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7GP3D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P3DP5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SF2F5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-H2KBE.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7PA03.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-V2BBJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DI3QD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-JAUEN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HBD7J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TUF46.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9POKC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QNGBI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-E4NUM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-D8QQL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SB1JP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2G5JK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-FMBU4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-B7FAP.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KNR3D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BH3SO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HQTIK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-G4AKA.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-69J1V.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-F090J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-61PSV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-D55QV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-VOV28.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-B3OT0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-0VCHS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LSJ6G.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P2IB0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BI5Q3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S3S2M.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-UCIJQ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-C26N7.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-3NU1J.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QLOJM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-O735A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-J9SHO.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-SGQL5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BTL0H.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-1IJSL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BETPD.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KM4QE.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-KJRLU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-R6OEI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-CK4LU.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2LNO6.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-ISCLI.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-PH93P.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9V2J4.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-VF293.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-P7A57.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-T08P3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-HAU0N.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2HSS0.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-GA6EL.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-91AV8.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-44GIE.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-S9VJJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-GQHVJ.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-J5PQV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-8V501.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-C7O6K.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-8P99Q.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-BRS51.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-TIL59.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-OLVVS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-7V331.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-ACRA5.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-OI81U.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LCHU2.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-MPU51.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-DG9B3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-ICFPN.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-EG0JV.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-3BFDH.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-A46SK.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-L47KC.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LEC8A.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-NOFUA.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-9Q97G.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-QIHTM.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-L8OLS.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-LPAT3.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-2A08E.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\is-81M5D.tmp
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Directory created: C:\Program Files\Topaz OFD\Warsaw\unins000.msg
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw:oyhagmu138iahnc
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\opt
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\msvcp120.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\msvcr120.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\wsaxbco.dll
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\local.data
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw:bmh6Lm9wemo
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\ws.datr
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\autoconf_warsaw.js
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Directory created: C:\Program Files\Topaz OFD\Warsaw\ws.dat

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{20E60725-16C8-4FB9-8BC2-AF92C5F8D06D}_is1

Source: HABICO116N_2024-04-26_16_58_38.139.zip

Static file information: File size 3903480 > 1048576

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Topaz OFD
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Topaz OFD\Warsaw

Installs new ROOT certificates

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\869616C6F29BFF379B12001B54D9CC3898D08759 Blob
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\869616C6F29BFF379B12001B54D9CC3898D08759 Blob
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\869616C6F29BFF379B12001B54D9CC3898D08759 Blob
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\869616C6F29BFF379B12001B54D9CC3898D08759 Blob

Drops PE files

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-69J1V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-C7O6K.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-4JF0M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-NG6HC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-UCIJQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-PGMJ9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-DMHK4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-9T1MH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-8P6T2.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-9V2J4.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Program Files\Topaz OFD\Warsaw\msvcr120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-V78PE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-V2BBJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-NQ6ER.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Program Files\Topaz OFD\Warsaw\msvcp120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-M3NNI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-RFLP3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-S0KNU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-CD182.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-LK6MP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-UJ7L5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-FVT0H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-9MEU6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-OVEKC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-K5OLE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-QRBJL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-U3JD8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-EP3EK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-81M5D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-243TO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-LH7AK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-5Q6CC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-GQHVJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-KNS80.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-PCK64.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-610F5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5L4LQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-S1AQH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-J35ES.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-G4AKA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-HFR2O.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-44GIE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GBV4Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-TIL59.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-P3DP5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-F54EF.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-SUDDL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GTJ3V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-1299M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-GS9C6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-HN243.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-3HHPB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-A3DG0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-VSNQB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-QLOJM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-AIIPN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GQLAS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7V331.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-ACRA5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7JJPM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-MED3Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-I05AI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-3HLCR.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-OI81U.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-DDQS8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-NHJKQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-LEC8A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7GP3D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-SNI07.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-S5H0H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-OD80C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-A6RUS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-V4FD9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-VF293.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\msvcr120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-UB020.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-J6E0V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-H2KBE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-F3DLB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-1D0ID.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-LS2RM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-ARARM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-SB1JP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-S8JMT.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-HQTIK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-PEVQJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-VDCES.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-6GDPM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-4N8P9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-QPS0A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-8D5J6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-KNACJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2A08E.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2G5JK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-PRSE3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-JAUEN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-Q6BO0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-3BFDH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-HLK4M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-BH3SO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-L4JD0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-JQ9T3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-8HES7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-ICFPN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-F0IEN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-KS05A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-A46SK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-M4GM5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-919DS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-P7A57.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-J3TRQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-I859F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-A3J84.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-E743S.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-DUU0T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-HB8HP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-245ML.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-8V501.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-UNS0G.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-517JO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-BRS51.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-9KKRG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-3NU1J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-QNGBI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7PGAC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-OJ526.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-4UJCA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-LRJJ4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7TIHM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-PJLAC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-D8QQL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-NMSAK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-RNJ8M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-PH93P.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-B7FAP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-NJRSC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-T9BJK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-257GR.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-FMBU4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-JAPFR.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-9BRTU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-Q6IJT.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-PTTR1.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-I85L4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-DC0KH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2F7HQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GSI34.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-H8NKL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-RQIEJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-46HPO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-47H94.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-VOV28.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-U4KRV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7BSLN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-KDOHO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-OLVVS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7NOH4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-TS8A4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-F237R.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-761MJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-KNR3D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-LPAT3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-EOEQ4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-PQ4GA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-H1A10.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-79IGP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-TUF46.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-O3BFN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7IO91.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-9POKC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2MC0P.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-LSJ6G.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-RAB4C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-ISCLI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-DI3QD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-0N7L2.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-T585E.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-S9VJJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-A1JBC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-L47KC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-EC67U.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-RP4UP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-5NMFO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-DG9B3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-NNSG7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-A4G7I.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-9AID7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-SSPGO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-1OSP7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-SELNG.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File created: C:\ProgramData\Temp\_cd\c054fe2fb26941c1a6cca23251b6efc3.wtcf	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-H8KK3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7PA03.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-FAMCK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-261PJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-NS7KP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-AEBSU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-0MV76.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-19RUB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-4TV0M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-PREND.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-O6F2S.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-SF2F5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-C26N7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-8438K.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-ST47B.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-F5AV1.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-R6OEI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-MRJTF.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-O55NU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-4BMCK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-00JJP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-FTTDO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-EN56H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-NOFUA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2HSS0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-J422F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-S3S2M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-C4DKQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-91AV8.tmp	Jump to dropped file
Source: C:\ProgramData\Temp\gbpcefwr64.exe	File created: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-DDUV9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-SRETI.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\msvcp120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7EU8J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-TL64V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2OJ4D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-QTR63.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-B3OT0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-7037H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-2LNO6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-VJTAG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-L8OLS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-HAU0N.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-KH558.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-EG0JV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-46BQS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-0U1PU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-RDFPT.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-K8UEM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-I9PHC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-GV6UC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-FLHH1.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-175RL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-RQ3BD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-TB7UC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-T08P3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-2R39D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-31L3I.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-0PT5M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-AGO4M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-EBS3T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-9VM8C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-E4NUM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-2KIRS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-NONPG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-Q260F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-4828T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-KOOUU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-N40L8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-RSD7C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-MPT1M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-9Q97G.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-E76FA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-ICBSJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-OP56C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-D55QV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-61PSV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-3BN84.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-HV2M7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-MPU51.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5N7BM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7V354.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-J5PQV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-1UP2T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-CK4LU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-69B7M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-DJ7QD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-G54TJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-PGQV8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-8GD0B.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-QJ10O.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-8P99Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-FIL7C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5V3FO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-JNP9A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-0VCHS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-HBD7J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-F090J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-HENGA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-P2IB0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-7N3QM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-BI5Q3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5ERA9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Program Files\Topaz OFD\Warsaw\is-P50AP.tmp	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

File created: C:\ProgramData\Temp\_cd\c054fe2fb26941c1a6cca23251b6efc3.wtcf

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-OD80C.tmp	Jump to dropped file
Source: C:\ProgramData\Temp\gbpcefwr64.exe	File created: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-PGMJ9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-A6RUS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-8P6T2.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-UB020.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-V78PE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-47H94.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-NQ6ER.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7BSLN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-QTR63.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-FVT0H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-9MEU6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-79IGP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-O3BFN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-I9PHC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7IO91.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-GV6UC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-QRBJL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-U3JD8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-RQ3BD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-4N8P9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\get_version.exe	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-LH7AK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-QPS0A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-5Q6CC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-8D5J6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-31L3I.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-0PT5M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-0N7L2.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-KNS80.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-Q6BO0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-2KIRS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-NONPG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-A1JBC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-EC67U.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-RP4UP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-5NMFO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\System32\drivers\is-NNSG7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-N40L8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-PCK64.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-RSD7C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-F0IEN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-S1AQH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-E76FA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-J3TRQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-I859F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-H8KK3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-ICBSJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-261PJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-NS7KP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-245ML.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-1UP2T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-69B7M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7PGAC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-4TV0M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-OJ526.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-4UJCA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-PJLAC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-3HHPB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-8GD0B.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-RNJ8M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-VSNQB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-MED3Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-7JJPM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-I05AI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\is-9BRTU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	File created: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

File created: C:\ProgramData\Temp\_cd\c054fe2fb26941c1a6cca23251b6efc3.wtcf

Jump to dropped file

Creates or modifies windows services

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\warsaw_injector

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

Process created: C:\Windows\System32\sc.exe "sc.exe" start "Warsaw Technology"

Hooking and other Techniques for Hiding and Protection

Creates files in alternative data streams (ADS)

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp

File created: C:\Program Files\Topaz OFD\Warsaw:z2fzaw5z

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Temp\gbpcefwr64.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	RDTSC instruction interceptor: First address: 7FFF268AFB2D second address: 7FFF268AFB32 instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 rol cl, 1 0x00000005 rdtsc
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	RDTSC instruction interceptor: First address: 7FFF268CF505 second address: 7FFF267C3251 instructions: 0x00000000 rdtsc 0x00000002 cmp esp, 27F7099Fh 0x00000008 popfd 0x00000009 setle dl 0x0000000c dec eax 0x0000000d cdq 0x0000000e jmp 00007F6E1CA0AFB7h 0x00000013 inc ecx 0x00000014 pop eax 0x00000015 inc bp 0x00000017 cmovs ebp, ebx 0x0000001a rdtsc
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	RDTSC instruction interceptor: First address: 7FFF268CF505 second address: 7FFF267C3251 instructions: 0x00000000 rdtsc 0x00000002 cmp esp, 27F7099Fh 0x00000008 popfd 0x00000009 setle dl 0x0000000c dec eax 0x0000000d cdq 0x0000000e jmp 00007F6E1C4EEDC7h 0x00000013 inc ecx 0x00000014 pop eax 0x00000015 inc bp 0x00000017 cmovs ebp, ebx 0x0000001a rdtsc
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	RDTSC instruction interceptor: First address: 7FFF268CF505 second address: 7FFF267C3251 instructions: 0x00000000 rdtsc 0x00000002 cmp esp, 27F7099Fh 0x00000008 popfd 0x00000009 setle dl 0x0000000c dec eax 0x0000000d cdq 0x0000000e jmp 00007F6E1CF86867h 0x00000013 inc ecx 0x00000014 pop eax 0x00000015 inc bp 0x00000017 cmovs ebp, ebx 0x0000001a rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe

Special instruction interceptor: First address: 7FFF268E5B3F instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe	File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-69J1V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-C7O6K.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-NG6HC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-4JF0M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-PGMJ9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-DMHK4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-9T1MH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-8P6T2.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-9V2J4.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\msvcr120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-V78PE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-V2BBJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-NQ6ER.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\msvcp120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-M3NNI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-RFLP3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-S0KNU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-CD182.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-LK6MP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-UJ7L5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-FVT0H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-9MEU6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-OVEKC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-K5OLE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\System32\drivers\is-QRBJL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-U3JD8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-EP3EK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-81M5D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-243TO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-LH7AK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-5Q6CC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-GQHVJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-KNS80.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-PCK64.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5L4LQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-610F5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-S1AQH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-J35ES.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-HFR2O.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-G4AKA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-44GIE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GBV4Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-TIL59.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-P3DP5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-F54EF.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GTJ3V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-SUDDL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-1299M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-GS9C6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-HN243.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-A3DG0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-3HHPB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-VSNQB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-QLOJM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-AIIPN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GQLAS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7V331.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-ACRA5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-I05AI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-MED3Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-7JJPM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-3HLCR.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-OI81U.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-DDQS8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-NHJKQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-LEC8A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7GP3D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-SNI07.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-S5H0H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-OD80C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-V4FD9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-A6RUS.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\msvcr120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-VF293.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-UB020.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-J6E0V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-H2KBE.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-F3DLB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-1D0ID.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-LS2RM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-ARARM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-SB1JP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-S8JMT.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-PEVQJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-HQTIK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-VDCES.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-6GDPM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-4N8P9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-QPS0A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-8D5J6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-KNACJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2A08E.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2G5JK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-PRSE3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-JAUEN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-Q6BO0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-3BFDH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-HLK4M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-L4JD0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-BH3SO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-JQ9T3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-8HES7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-ICFPN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-F0IEN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-KS05A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-A46SK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-919DS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-M4GM5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-P7A57.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-J3TRQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-I859F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-E743S.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-A3J84.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-DUU0T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-HB8HP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-245ML.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-8V501.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-517JO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-UNS0G.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-BRS51.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-9KKRG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-7PGAC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-QNGBI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-3NU1J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-OJ526.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-LRJJ4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7TIHM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-4UJCA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-D8QQL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-NMSAK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-PJLAC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-RNJ8M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-PH93P.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-B7FAP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-NJRSC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-T9BJK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-257GR.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-FMBU4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-JAPFR.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-Q6IJT.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-9BRTU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-PTTR1.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-I85L4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-DC0KH.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2F7HQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-GSI34.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-H8NKL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-RQIEJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-46HPO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-47H94.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-VOV28.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-U4KRV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-7BSLN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-KDOHO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-OLVVS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7NOH4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-TS8A4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-F237R.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-761MJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-KNR3D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-EOEQ4.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-H1A10.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-PQ4GA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-TUF46.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-79IGP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\System32\drivers\is-O3BFN.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-7IO91.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-9POKC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-RAB4C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-LSJ6G.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2MC0P.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-ISCLI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-0N7L2.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-DI3QD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-T585E.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-S9VJJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-A1JBC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-L47KC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-RP4UP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-EC67U.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-5NMFO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\System32\drivers\is-NNSG7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-DG9B3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-A4G7I.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-9AID7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-SSPGO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-SELNG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-1OSP7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-H8KK3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7PA03.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-FAMCK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-261PJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-AEBSU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-NS7KP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-0MV76.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-19RUB.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-PREND.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-4TV0M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-O6F2S.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-8438K.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-C26N7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-SF2F5.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-ST47B.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-F5AV1.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-R6OEI.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-MRJTF.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-O55NU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-4BMCK.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-00JJP.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-FTTDO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-EN56H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-NOFUA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2HSS0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-J422F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-S3S2M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-C4DKQ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-91AV8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-DDUV9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-SRETI.tmp	Jump to dropped file
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\msvcp120.dll	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7EU8J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-TL64V.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2OJ4D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-QTR63.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-B3OT0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-7037H.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-2LNO6.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-VJTAG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-L8OLS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-HAU0N.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-KH558.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-EG0JV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-46BQS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-0U1PU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-K8UEM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-RDFPT.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-FLHH1.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-I9PHC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-GV6UC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-175RL.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\System32\drivers\is-RQ3BD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-TB7UC.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-T08P3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-2R39D.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-0PT5M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-AGO4M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-EBS3T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-9VM8C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-E4NUM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-2KIRS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-NONPG.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-KOOUU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-4828T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-Q260F.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-N40L8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-RSD7C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-MPT1M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-9Q97G.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-E76FA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-ICBSJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-OP56C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-D55QV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-61PSV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-3BN84.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-HV2M7.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-MPU51.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5N7BM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7V354.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-J5PQV.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-1UP2T.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-CK4LU.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-69B7M.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-DJ7QD.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-G54TJ.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-PGQV8.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Windows\Temp\is-5L66I.tmp\is-8GD0B.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-QJ10O.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-8P99Q.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5V3FO.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-FIL7C.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-JNP9A.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-0VCHS.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-HBD7J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-F090J.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-HENGA.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-P2IB0.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-7N3QM.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Topaz OFD\Warsaw\is-5ERA9.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-BI5Q3.tmp	Jump to dropped file
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Dropped PE file which has not been started: C:\Program Files\Topaz OFD\Warsaw\is-P50AP.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 6208	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp TID: 2900	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp TID: 2900	Thread sleep time: -36000s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	File opened: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe

System information queried: ModuleInformation

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process queried: DebugPort
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process queried: DebugObjectHandle
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process queried: DebugPort
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process queried: DebugObjectHandle

Enables debug privileges

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process token adjusted: Debug
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process token adjusted: Debug
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\System32\tasklist.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	NtQuerySystemInformation: Indirect: 0x7FFF268E5B8F
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	NtLoadDriver: Indirect: 0x7FFF28509446
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	NtQueryInformationProcess: Indirect: 0x7FFF268E5B63
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	NtQuerySystemInformation: Indirect: 0x7FFF268E5B84
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	NtQuerySystemInformation: Indirect: 0x7FFF268E5BA5

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe	Process created: C:\ProgramData\Temp\gbpcefwr64.exe C:\ProgramData\Temp\gbpcefwr64.exe /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel /accepteula /log="C:\ProgramData\Temp\wslog.dat"
Source: C:\Windows\Temp\is-T0PV4.tmp\gbpcefwr64.tmp	Process created: C:\Windows\Temp\is-5L66I.tmp\_isetup\_setup64.tmp helper 105 0x604
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe WMIC PROCESS WHERE "ExecutablePath like 'C:\\Program Files (x86)\\Topaz OFD\\Warsaw\\%'" DELETE
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "imagename eq core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /C "core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /c tasklist /?
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /FI "imagename eq core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /C "core.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist /?

Queries the product ID of Windows

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw\wslbmid.dll VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw\wslbmid.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	Queries volume information: C:\Program Files\Topaz OFD\Warsaw VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\HABICO116N_2024-04-26_16_58_38.139\Device\HarddiskVolume3\Users\Habico\AppData\Local\Temp\MicrosoftEdgeDownloads\7fbe5683-d8bf-40f0-a123-f37dcb0001b0\GBPCEF (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Overwrites Mozilla Firefox settings

Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Topaz OFD\Warsaw\core.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Queries disk data (e.g. SMART data)

Source: C:\Program Files\Topaz OFD\Warsaw\core.exe

Device IO: \Device\Harddisk0\DR0

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\pkcs11.txt
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Local\Packages\Mozilla.Firefox_n80bbvh6b1yt2\LocalCache\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\key4.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert8.db
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db-journal
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\m8f4v4pw.default\cert9.db
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Program Files\Topaz OFD\Warsaw\wsffcmgr64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert9.db

ID:	1432290
Product:	CloudBasic
Start time:	19:34:05
Start date:	26.04.2024
Sample:	HABICO116N_2024-04-26_16_58_38.139.zip
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	bf6013620744516862c7e1c8b0d661f4
SHA1:	d7100e037f52e2544762678668855129c570ed4f
SHA256:	d1eeaa34979a2fb23e94fbcb608a19af38690551e3c6db3790a55c11d8e701ed
Filetype:	ZIP compressed archive (8000/1) 100.00%

Windows Analysis Report
HABICO116N_2024-04-26_16_58_38.139.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report HABICO116N_2024-04-26_16_58_38.139.zip

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
HABICO116N_2024-04-26_16_58_38.139.zip